ui technology guide for sap s/4hana 1809 - help.sap.com · apps, as well as apps based on web...

PUBLIC2018-09-27

UI Technology Guide for SAP S/4HANA 1809

© 2

018

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 SAP S/4HANA UI Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1 SAP Fiori UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72.2 App Types and Database Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Implementation Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4 Required Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Setup of SAP Fiori System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123.1 Deployment Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 Pre-Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.3 Required Product Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Downloading Product Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.4 Installation of a New Front-End Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Specify Language Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Installation of Release Information Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Setup of Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.5 Using an Existing Front-End Server (Hub Deployment). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuration Using Task Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.6 Using an Existing Back-End Server (Embedded Deployment). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Configuration Using Task Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4 Configuration of SAP Fiori Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594.1 Setup of SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594.2 Configuration of the SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594.3 Create RFC Connection for Back-End Transactions (Object Pages). . . . . . . . . . . . . . . . . . . . . . . . . 604.4 User Assistance Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Enable Context-Sensitive User Assistance for SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . 61Enable User Assistance for the Back-End System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

4.5 SAP CoPilot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664.6 SAP Fiori Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

Setup of SAP Fiori Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Enable SAP Fiori Search for Multiple Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

4.7 Enable SAP Fiori Apps for Multiple Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.8 Integrating SAP Jam (Optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714.9 Extended Material Number in SAP Fiori Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

2 P U B L I CUI Technology Guide for SAP S/4HANA 1809

Content

4.10 Running Apps in Standalone Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724.11 Setup of SAPUI5 Application Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

5 App Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745.1 User Management and Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

UI Content and Authorization Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Recommendations for Organizing SAP Fiori UI Entities and Authorizations. . . . . . . . . . . . . . . . . 79General Authorizations Required for SAP Fiori. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Users in ABAP Front-End System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Users in ABAP Back-End System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

5.2 Implementation Tasks on Front-End Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83SAP Fiori Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83SAP GUI for HTML transactions, Web Dynpro applications and Design Studio apps. . . . . . . . . . . 86Maintain Business Catalogs and Business Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups. . . . . . . . . . . . . . . 98Assign Roles to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

5.3 Implementation Tasks on Back-End Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100SAP GUI for HTML transactions, Web Dynpro applications and Design Studio apps. . . . . . . . . . . 101Assign RFC Authorization to User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Create PFCG Role on Back-End. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Assign Roles to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Create Search Connectors for Object Pages on Back-End Server. . . . . . . . . . . . . . . . . . . . . . . 108

5.4 Creating Custom Analytical Apps Using a KPI Tile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Modeling KPIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Configuring Navigation in SAP Smart Business. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

6 Troubleshooting for SAP Fiori Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126.1 Tools For Error Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1126.2 General Problems and Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Caching Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114SAP Fiori App Cannot Be Opened. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Error “Service Failed” in App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Web Dynpro ABAP / SAP GUI for HTML App Cannot Be Started. . . . . . . . . . . . . . . . . . . . . . . . 117New App in Catalog Does Not Appear on the SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . .117SAP Fiori Content Doesn't Get Deleted Correctly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Chip Instance Not Found. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120No Or Too Little Data Is Shown in the App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120OData Service of Factsheets Cannot Be Activated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121How to Find Out which SAP GUI Transactions Can Be Used on the SAP Fiori Launchpad. . . . . . . 122How to Improve Ticket Processing Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Apps For Job Scheduling or Application Log Display Cannot Be Opened. . . . . . . . . . . . . . . . . . 124Apps Are Not Working Anymore After Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

UI Technology Guide for SAP S/4HANA 1809Content P U B L I C 3

System Error When Accessing Knowledge Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

7 Extensibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277.1 Adapting the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277.2 Creating Custom Fields and Custom Business Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277.3 Adding Custom Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287.4 Adapting Database Extensions to SAP S/4HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129


Content

Document History

Version Date Description

1.0 September 21, 2018 Initial Version

UI Technology Guide for SAP S/4HANA 1809Document History P U B L I C 5

1 SAP S/4HANA UI Technology

With SAP S/4HANA, all new functions, features, and innovations are accessible in the SAP Fiori launchpad. Using the launchpad, you can call up all apps for which you have been granted access. These can be SAP Fiori apps, as well as apps based on Web Dynpro and SAP GUI for HTML technology.

This guide explains how to setup a front-end server including the SAP Fiori launchpad, and how to implement the individual apps.

The guide is intended for system administrators and technical consultants.


SAP S/4HANA UI Technology

2 Getting Started

2.1 SAP Fiori UX

Use

SAP Fiori is the new user experience (UX) for SAP software that applies modern design principles. SAP solutions, such as SAP S/4HANA, are using the SAP Fiori UX to provide a personalized, responsive, and simple user experience.

SAP Fiori UX speaks a consistent design language and makes use of a common technical infrastructure. By blurring traditional computing boundaries and by using interactive and attractive UI elements, SAP Fiori UX provides a consistent end-to-end user experience and can be used across all device types (for example, desktop, tablet, and mobile).

Organized by user roles, the SAP Fiori launchpad is the central entry hub to all SAP Fiori apps, where users access apps via tiles. Within the launchpad, there are services for navigation, personalization, single sign-on, and search. The launchpad and the tiles are flexible and can be adapted to your needs.

You can use the search in the SAP Fiori launchpad to search for business objects and for apps. For more information, see SAP Fiori Search.

Apps applying the SAP Fiori UX focus on the most critical and common activities and are designed around how people work:

● Role-based: Designed for you, your needs and how you work● Responsive: Supports how and where you work, at any time● Simple: Focuses on the important● Coherent: Provides one fluid, seamless experience● Delightful: Makes an emotional connection

All UIs are built using state-of-the-art technology such as HTML5 and SAPUI5. SAP Fiori apps allow you to access the most recent version of your back end data via OData services. Using previously defined roles and authorizations, you can specify which apps and which data a user is allowed to access.

More Information

For more information about the SAP Fiori launchpad, see Setup of SAP Fiori Launchpad.

UI Technology Guide for SAP S/4HANA 1809Getting Started P U B L I C 7

2.2 App Types and Database Requirements

In SAP S/4HANA, you can use the following SAP Fiori app types:

● Apps that are launched by using an app launcher tileFor these apps, what information is displayed and how it is displayed is defined as part of the provided app-specific content. You cannot adapt or configure the information displayed by these apps. However, in the SAP Fiori launchpad, you can control what each user sees by grouping these apps into catalogs and groups and assigning them to roles.Apps that are launched by using an app launcher tile can be:○ Transactional apps

These apps let you perform transactional tasks, such as creating a leave request for an employee. They represent simplified views and interaction with existing business processes and solutions.

○ Object PagesThese apps display contextual information and key facts about central objects used in your business operations.

● Analytical apps that are launched by using a KPI tileAnalytical apps provide insight into the real-time operations of your business by collecting and displaying analytic information and indicators, such as KPIs, directly in your browser. To do this, the analytical apps combine the data and analytical power of SAP HANA with the integration and interface components of SAP Fiori.You can easily create custom analytical apps that are launched by using a KPI tile by using the SAP Smart Business Modeler apps: You can use or adapt the predefined KPIs or model your own KPIs. To determine which KPIs are displayed for each user in the SAP Fiori launchpad, you can group these KPIs and assign them to roles. A generic drill-down application included in the SAP Smart Business foundation component provides access to detail views for each tile. You can use predefined templates of the drill-down application or configure this drill-down application according to your requirements.

These SAP Fiori apps are using SAPUI5 as the UI technology. In addition to that, SAP S/4HANA contains further apps using different UI technologies than SAPUI5. These apps can be called from the Fiori launchpad and need a specific configuration. These are the following apps:

● Web Dynpro appsSome analytical or transactional apps use the well-established Web Dynpro UI technology. This UI technology offers floorplan patterns, which are ideal for analytical or planning purposes.

● SAP GUI for HTML apps

System Landscape

For landscapes with multiple SAP S/4HANA systems, we recommend an embedded deployment of the SAP Fiori front-end server instead of a hub deployment, i.e. installing the product version SAP Fiori for SAP S/4HANA together with the corresponding back-end product version SAP S/4HANA on the same system.

For more information, see Deployment Options [page 12].


Getting Started

2.3 Implementation Planning

From the range of SAP Fiori apps, SAP supports you to choose the apps that are most relevant for your business and guides you through the implementation. This section provides an overview of tools that you can use for planning the implementation.

Discover SAP Fiori Apps with Innovation Discovery

To simplify your search for SAP Fiori apps, SAP offers a self-service providing you with innovations tailored to your business as well as comprehensive business and technical information.

Innovation discovery is a self-service tool that simplifies your search for new functionality SAP has delivered (as enhancement packages, support packages, add-ons, or improvement notes). SAP thereby bridges the gap between business needs on the one hand and technical information regarding innovations on the other. An innovation corresponds to one or several product features. Innovation discovery contains only SAP Business Suite innovations.

If Maintenance Planner information is available for an SAP Fiori app, you can access it from innovation discovery.

You access innovation discovery at https://apps.support.sap.com/innovation-discovery/ .

For more information, see the innovation discovery help that is available from innovation discovery.

Plan the System Landscape with Maintenance Planner

Maintenance Planner is a graphical tool on SAP Support Portal to plan and prepare the maintenance of systems in your landscape. Using Maintenance Planner, you can do, for example, the following:

● Select and install new systems for SAP Fiori apps● Choose the target version for the installation● Understand the impact of planned changes in a system landscape● Download the consolidated stack XML and push all the required archives to the download basket

Maintenance Planner relates to the SAP Fiori apps reference library, if available, as follows:

● Navigate to Maintenance Planner to get detailed landscape planning information.

You access Maintenance Planner at https://apps.support.sap.com/sap/support/mp .

For more information, see SAP Help Portal at http://help.sap.com/maintenanceplanner .


http://help.sap.com/disclaimer?site=https%3A%2F%2Fapps.support.sap.com%2Finnovation-discovery%2F

http://help.sap.com/disclaimer?site=https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fmp

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fmaintenanceplanner

Find Detailed Information about SAP Fiori Apps with the SAP Fiori Apps Reference Library

With the SAP Fiori apps reference library, you explore, plan, and support implementing SAP Fiori apps. For example, you can do the following:

● Discover all the SAP Fiori apps that are available, including previous versions● Display key information for each app, including documentation and the technical data that you need to

install and configure the app● Navigate to related tools● Download the aggregated installation and configuration data for a selection of apps

The SAP Fiori apps reference library relates to the other tools, if available, as follows:

● Navigate to innovation discovery to get more information about the app● Navigate to Maintenance Planner to get detailed landscape planning information● Navigate to the product availability matrix● Download data (consolidated list of launchpad catalogs, ICF nodes, OData services, and search

connectors) for use in task lists for automatic configuration

You access the SAP Fiori apps reference library at http://www.sap.com/fiori-apps-library .

2.4 Required Documentation

In the following table you will find the most important documentation you require to implement your SAP Fiori System Landscape and the apps. Further documents and SAP Notes are referenced in the sections of this guide where needed.

Document Available at

SAP FIORI FOR SAP S/4HANA 1809: Release Information Note

SAP Note 2667191

Additional Implementation Activities for All Finance Apps

NoteWe recommend that you also read this document when you implement apps outside of Finance. Some of the settings are also relevant for other application areas, in particular, the activation of the Central Simple Finance Fiori Reuse Library.

Go to http://help.sap.com/s4hana_op_1809, enter Additional Implementation Activities for All Finance Apps into the search bar, press Enter and open the search result with that title.


Getting Started

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Ffiori-apps-library

http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/2667191

http://help.sap.com/s4hana_op_1809

Document Available at

App-specific implementation documentation http://help.sap.com/s4hana_op_1809 under Product Assistance

Under each area, you can find the respective apps and their app-specific implementation information.

Maintenance Planner User Guide http://help.sap.com/maintenanceplanner

SAP Fiori Launchpad Go to http://help.sap.com/s4hana_op_1809, enter SAP Fiori Launchpad into the search bar, press Enter and open the search result with that title.

SAP Gateway Foundation Go to http://help.sap.com/s4hana_op_1809, enter SAP Gateway Foundation (SAP_GWFND) into the search bar, press Enter and open the search result with that title.

ABAP Platform Security Guide Go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter and open the search result with that title.

Installation of SAP Systems Based on the Application Server ABAP

http://support.sap.com/sltoolset System Provisioning

Install a System using Software Provisioning Manager

Installation Guides - Application Server Systems

SAP Fiori Client User Guide http://help.sap.com/fiori-client

SAP Web Dispatcher Go to http://help.sap.com/s4hana_op_1809, enter SAP Web Dispatcher into the search bar, press Enter and open the search result with that title.

Enterprise Search http://help.sap.com/s4hana_op_1809 under Product

Assistance Enterprise Technology ABAP Platform

Administrating the ABAP Platform Enterprise Search

Analytics http://help.sap.com/s4hana_op_1809 under Product

Assistance Cross Components Analytics

Latest UI5 Patch Go to https://launchpad.support.sap.com/#/softwarecenter , search for SAPUI5 CLIENT RUNTIME 1.00 and navi

gate to Support Package Patches [Latest Patch]

Related Info Content Info







http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.sap.com%2Fsltoolset

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Ffiori-client




http://help.sap.com/disclaimer?site=https%3A%2F%2Flaunchpad.support.sap.com%2F%23%2Fsoftwarecenter

http://help.sap.com/disclaimer?site=https%3A%2F%2Flaunchpad.support.sap.com%2F%23%2Fsoftwarecenter

3 Setup of SAP Fiori System Landscape

Use

This system landscape applies to the intranet deployment scenario. When accessing SAP Fiori apps over the Internet, that is, from outside the corporate network, make sure the access is secure. For more information, see Deployment Options [page 12].

Set up the system landscape to enable SAP Fiori before you start to implement an app.

The apps require front-end components (providing the user interface and the connection to the back end) and back-end components (providing the data). The front-end components and the back-end components are delivered in separate products and have to be installed in a system landscape that is enabled for SAP Fiori.

3.1 Deployment Options

Deployment of SAP Fiori Front-End Server

SAP Fiori front-end server is an add-on product for Application Server ABAP and delivers the technology software components for the front end that are required to run SAP Fiori apps with the required stack definition.

Before implementing SAP Fiori front-end server, you have to decide how the main components of this product will be deployed in your system landscape. SAP Fiori front-end server allows various deployment options, which result in different system landscape architectures.

The supported landscape deployment options are described in a catalog, including their advantages and potential drawbacks.

You have the following options to set up SAP Fiori front-end server in an SAP system landscape:

● Embedded deploymentSAP Fiori front-end server is deployed into the AS ABAP of a back-end system.

● Hub deployment for single back-end systemsA dedicated AS ABAP front-end server with SAP Fiori front-end server is deployed in a standalone system in front of the back-end system, either behind or in front of the firewall.

There are also specific deployment options and each supported option has advantages and potential drawbacks in terms of lifecycle, operations, and sizing.

NoteSAP Fiori apps for SAP S/4HANA may have additional requirements for system landscape setup. For more information, see the SAP Fiori apps reference library and the release-specific Notes for the apps you want to deploy.


Setup of SAP Fiori System Landscape

https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/

Intranet Deployment

You can deploy SAP Fiori apps in the intranet, that is, inside your corporate network.

The SAP Fiori documentation focuses on the intranet deployment scenario.

When accessing SAP Fiori apps over the Internet, that is, from outside the corporate network, you have to perform additional tasks. For more information, see the following section Internet-Facing Deployment.

Internet-Facing Deployment

RecommendationWhen setting up SAP Fiori apps for consumption from outside the corporate network, we recommend that you deploy SAP Web Dispatcher in the demilitarized zone (DMZ).

RecommendationIn addition, we highly recommend using Web Application Firewall capabilities in SAP Web Dispatcher or using an additional Web Application Firewall as first line of defense, especially when consuming SAP Fiori analytical apps or search capabilities over the Internet.

SAP Web Dispatcher should only forward requests to services in the internet communication manager that are necessary to run SAP Fiori apps.

There are services to run the SAP Fiori launchpad and services to run the specific apps:

● For the services to run the SAP Fiori launchpad, go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , open the search result with that title, and navigate to Configuring ICF Nodes.

● For the services to run the specific apps, see the app-specific documentation.For information about how to activate the specific services, see Activate ICF Services of SAPUI5 Application [page 85].

For an internet-facing deployment of mobile devices, you can use the SAP Mobile Platform Server. SAP Mobile Platform Server is an open, standards-based application server that provides a suite of services for mobile applications. By integrating SAP Mobile Platform Server into your SAP Fiori system landscape, you can create a secure, efficient, and easy-to-manage mobile environment for SAP Fiori.

More Information

For more information on SAP Fiori front-end server deployment for SAP S/4HANA, see SAP Note 2590653 .

For more information about SAP Mobile Platform Server, see Integration of SAP Mobile Platform into SAP Fiori Landscape at http://help.sap.com/s4hana_op_1809 under Additional Information.

UI Technology Guide for SAP S/4HANA 1809Setup of SAP Fiori System Landscape P U B L I C 13




For more information about Gateway deployment options, go to http://help.sap.com/s4hana_op_1809, enter SAP Gateway Foundation Master Guide into the search bar, press Enter , open the search result with that title, and navigate to Deployment Options.

For more information about using multiple network zones, go to http://help.sap.com/s4hana_op_1809, enter Using Multiple Network Zones into the search bar, press Enter , and open the search result with that title.

3.2 Pre-Installation

Before you begin to install the system landscape for SAP Fiori, make sure you have planned the following:

Network Architecture

You have to decide in which network zones the components of the SAP Fiori system landscape reside.

For example, should the clients be able to access the SAP Fiori apps over the Internet, or only within the company's intranet? Is there a demilitarized zone (DMZ) and is the SAP Web Dispatcher deployed there? Depending on your network architecture, make sure you have the right security measures in place, such as a secure firewall configuration.

Certificates for Single Sign-On

For single sign-on (SSO) using logon tickets, you require an SSL server certificate for each of the components between which you want to use SSO.

Components can be, depending on your system landscape:

● SAP Web Dispatcher● Gateway on front-end server● ABAP back-end server

NoteDepending on from where you obtain the certificates, it can take several days to get them.

For more information, see section SAP HANA Authentication and Single Sign-On in the SAP HANA Security Guide at http://help.sap.com/hana_platform Security .

Browser Prerequisites

SAP Fiori apps require a web browser that can display files in HTML5 format.





http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fhana_platform

For more information, see Setup of Clients.

Roles and Authorizations

You have to decide how to set up the roles and authorizations for the SAP Fiori users. This includes, for example, which user group uses which apps.

For more information, see User Management and Authorization.

Operating System Access for SAP HANA Database

To configure HTTPS and SSO in the SAP HANA database, the administrator requires access to SAP HANA on the operating system level.

For more information, see Operating System User <sid>adm in the SAP HANA Administration Guide at http://help.sap.com/hana_platform System Administration .

3.3 Required Product Versions

Database

● ABAP front-end server:The underlying database for the ABAP front-end server must be one of the following databases with the following product versions:○ SAP HANA database (SAP HANA DATABASE 1.0 or SAP HANA DATABASE 2.0)○ SAP MaxDB 7.9 64-BIT (MAXDB 7.9 64-BIT)○ Sybase ASE (SYBASE ASE 15.7 FOR BUS. SUITE) or SAP ASE ( SAP ASE 16.0 FOR BUS.

SUITE)● ABAP back-end server:

The underlying database for the ABAP back-end server must be SAP HANA database (SAP HANA DATABASE 2.0).

SAP FIORI FRONT-END SERVER

You require SAP Fiori front-end server 5.0 (front-end server: NW 7.51 SP06 or higher). It contains the following components with the respective versions:

● SAP Gateway Foundation (software component version SAP Gateway FOUNDATION 7.51 SP06 or higher)




● User Interface Technology (software component version USER INTERFACE TECHNOLOGY 7.53)● UI for Basis Applications (software component version UI FOR BASIS APPLICATIONS 400) - containing

SAP NetWeaver Fiori Apps

For more information about the setup and configuration of SAP Fiori, go to http://help.sap.com/s4hana_op_1809, enter SAP Fiori: Setup and Configuration into the search bar, press Enter , and open the search result with that title.

SAP Fiori for SAP S/4HANA

The SAP Fiori apps for SAP S/4HANA are delivered with the product SAP Fiori for SAP S/4HANA (SAP FIORI FOR SAP S/4HANA 1809).

3.3.1 Downloading Product Versions

Context

You use the Maintenance Planner to download the required product versions. Maintenance Planner calculates the required software components, enables the download of archives, and creates a stack configuration file. Create a common stack configuration file for SAP Fiori for S/4HANA and SAP Fiori front-end server 3.0 to install the products in a common installation procedure.

NoteYou cannot plan the installation of the back-end and front-end for S/4HANA in a single Maintenance Planner run. You have to do this separately and you will receive two stack configuration files, one for the front-end, and one for the back-end.

Procedure

1. You can launch Maintenance Planner as follows:

○ From the SAP Fiori apps reference library at http://www.sap.com/fiori-apps-library , if available for the required apps.

○ On SAP Support Portal at https://apps.support.sap.com/sap/support/mp .2. Proceed as described in the Maintenance Planner User Guide at the SAP Help Portal at http://

help.sap.com/maintenanceplanner





http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Ffiori-apps-library

http://help.sap.com/disclaimer?site=https%3A%2F%2Fapps.support.sap.com%2Fsap%2Fsupport%2Fmp



3.4 Installation of a New Front-End Server

Use

This document covers the general steps to take when installing SAP Fiori apps.

Prerequisites

Pre-Installation

You have performed specific pre-installation tasks (see Pre-Installation).

Procedure

Perform the following installation tasks:

1. Download the product versions via the maintenance planner (see Required Product Versions [page 15] and Downloading Product Versions).

2. Install SAP Web Dispatcher 7.5 as the reverse proxy.For more information, go to http://help.sap.com/s4hana_op_1809, enter Operating SAP Web Dispatcher into the search bar, press Enter , open the search result with that title and navigate to the section Installing SAP Web Dispatcher.

3. Setup of Front-End ServerPerform the following installation tasks on the front-end server:1. Install SAP Fiori Front-End Server and SAP Fiori for SAP S/4HANA. For the installation, follow the

instructions in the installation guide available athttp://support.sap.com/sltoolset under System Provisioning Installation Option of Software Provisioning Manager Installation Guides - Application Server Systems .

2. Specify the default language and the logon language.For more information, see Specify Language Settings.

4. Install the required SAP Notes for front-end and back-end server (see Installation of SAP Notes).5. Setup the required clients (see Setup of Clients).

3.4.1 Specify Language Settings

Use

You must specify the settings for supported languages in the Gateway system. Settings include default and logon languages.




For more information, go to http://help.sap.com/s4hana_op_1809, enter Language Settings into the search bar, press Enter , and open the search result with that title.

Prerequisites

You have installed the same language packages for SAP Fiori in the Gateway system and the back-end system.

Activities

Default Languages

Ensure that the default language of the Gateway system is the same as the default language of the back-end system, for example, English. If this is not the case, ensure that the Gateway system contains a subset of the languages of the back-end system.

Logon Languages

The logon language for the ABAP application server is set according to the following process:

1. If the Mandatory Logon Data indicator has been activated for a service in transaction SICF, the system uses the language that was entered there.

2. If this is not the case, but the HTTP request contains the language in the HTTP header (as a header or a form field), you log on to the system using this language.

3. The browser settings of the calling client are then used. The system selects as the logon language the first language from the list that is maintained in the browser, and which is also installed in the SAP system. The language list is specified using the HTTP header field accept-language.

Note

With Internet Explorer, you can for example set the language you require by choosing ToolsInternet Options Languages .

4. If no language is defined by this process, the classic SAP system mechanisms are used. The logon language is based on the user settings (in transaction SU01) and if nothing is entered here, the default language of the SAP system is used automatically.

3.4.2 Installation of Release Information Notes

The SAP Note 2667191 provides important overview information and links to further SAP Notes that you need to implement.





3.4.3 Setup of Clients

SAP Fiori apps are designed for both desktop and mobile device and can be used with an HTML5-capable web browser. For more information about supported combinations of device, browser and operating system, see SAP Note 1935915 .

SAP created the SAP Fiori Client available for Android, iOS and Windows Phone 8.1 to provide the following assets to SAP Fiori apps running inside SAP Fiori Client:

● Additional native capabilities (such as Camera, Barcode Scanner) on top of what a typical browser provides.

● Management of the local web cache better when new versions of the application are released by the Fiori server.

● Additional security to protect the application from unauthorized access.● Provisioning the user certificate through Mobile Secure and SAP Mobile Platform.

For more information about SAP Fiori Client, see SAP Help Portal at http://help.sap.com/fiori-client SAP Fiori Client User Guide .

3.5 Using an Existing Front-End Server (Hub Deployment)

Concept

You can use an existing front-end server (hub) for the SAP Fiori for SAP S/4HANA installation. Existing apps continue to run against the old back-end systems while the newly installed applications of SAP Fiori for SAP S/4HANA need to be configured to run against the SAP S/4HANA system. As a prerequisite, you have to migrate the database of the central hub system and upgrade the system.

Implementation Considerations

SAP Fiori for SAP S/4HANA includes all apps which can be used with the corresponding SAP S/4HANA back-end system. For some areas, it updates the existing app versions on the front-end server as well. Take the following known dependencies into account when you plan the installation.

● When using one of the following UI products on the front-end server, ensure that you meet the minimum Support Package Stack level in the back-end systems of your existing landscape. As an alternative, you can also deselect these components when you plan the upgrade in the SAP Maintenance Planner.

Product Minimum Product Version and SPS level in Back-End System

Master Data Governance (SAP FIORI FOR SAP MDG 2.0) SAP ERP 6.0 EHP 8 SPS 07



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Ffiori-client

Product Minimum Product Version and SPS level in Back-End System

Information Lifecycle Management (SAP FIORI FOR SAP ILM 1.0)

SAP NetWeaver 7.40 SPS 08

Human Capital Management (SAP FIORI FOR SAP ERP HCM 1.0)

SAP ERP 6.0 EHP 7 SPS 09 and SAP Fiori for SAP ERP HCM 1.0 SPS 02

● Not all SAP Fiori product versions installed on the front-end server are released for the new version SAP Fiori front-end server 3.0 (front-end server: NW 7.50 or front-end server: NW 7.51) to which you need to upgrade. You need to uninstall any app which is not released to be able to upgrade the front-end server. For more information, see SAP Notes 2034588 and 2200415 .

● For customers running SAP Simple Finance 2.0 or lower on their front-end server, it is not possible to install the SAP Fiori for SAP S/4HANA 1610 on the same instance.

● It's mandatory to upgrade My Inbox 100 (UIX01CA1) to My Inbox 200 (Approve Request UI 2.0).

Activities

1. Migrate your database to one of the supported database systems.The front-end server for SAP S/4HANA is supported on SAP HANA, SAP MaxDB, or SAP ASE as database management system. Migrate you database, if necessary.

2. If necessary, uninstall not released SAP Fiori apps. For more information, see SAP Notes 2034588 and 2011192 .

3. Upgrade the front-end server to SAP Fiori front-end server 3.0 (front-end server: NW 7.50 or front-end server: NW 7.51).You can combine the upgrade of the front-end server and installation of SAP Fiori for SAP S/4HANA in one step. When you plan this upgrade in the SAP Maintenance Planner, the Maintenance Planner will create a common stack configuration file for all installed components.Proceed as described in the Upgrade and Update Guides.

4. Configure the apps as described in this document and in the app-specific implementation information.

NoteYou do not have to configure the apps of the UI products listed in the table above.

NoteIf you move from SAP Suite on SAP HANA to SAP S/4HANA and want to make modifications you had made to the SAP HANA database visible on the UIs again, you have to carry out manual steps in different content layers. For more information, see Adapting Database Extensions to SAP S/4HANA [page 129]







3.5.1 Configuration Using Task Lists

Use

You can perform ABAP system configuration tasks in an automated way by using predefined task lists.

For SAP Fiori, task lists support you in setting up and configuring the communication channels between the client, the front-end, and the back-end servers.

Prerequisites

● You are assigned the necessary roles to execute task lists.For more information, go to http://help.sap.com/s4hana_op_1809, enter Configuration using ABAP Task Manager for Lifecycle Management Automation into the search bar, press Enter , open the search result with that title and navigate to Standard Roles and Permissions.

Features

The following table lists the predefined task lists that are available for SAP Fiori. When you execute a task list, the system guides you through the configuration of the tasks that are included in the task list. In addition, the task list contains documentation that describes the tasks in the task list in more detail. After executing a task list, you do not have to execute the corresponding tasks manually.

Task Task List Description Related Information

Gateway – Basic Config-uration

SAP_GATEWAY_BASIC_CONFIG

You use this task list on the front-end server to perform basic configuration steps for Gateway.

Activating Gateway [page 29]

SAP Fiori Launchpad Initial Setup

SAP_FIORI_LAUNCHPAD_INIT_SETUP

You use this task list on the front-end server to activate launchpad OData and HTTP services on an Gateway system (front end).

Setup of SAP Fiori Launchpad [page 59]

Create Trusted Connection from SAP System to Gateway

SAP_SAP2GATEWAY_TRUSTED_CONFIG

You use this task list on the back-end server to create a trusted connection from an SAP system to Gateway.

NoteYou have to execute this task list in dialog.

Connect Gateway to Back-End System (Trusted RFC) [page 28]

Logon Tickets [page 40]

ABAP Servers: Setup of Communication [page 26]

Setting Up SSO for SAP Fiori and SAP S/4HANA [page 37]




Enable Embedded Search

SAP_ESH_INITIAL_SETUP_WRK_CLIENT

You use this task list for the automatic initial setup of Embedded Search in the working client. This task list executes the obligatory preparation steps for the implementation of Embedded Search. This can take a very long time, so start the task list in the background.

Setup of SAP Fiori Search [page 67]

Gateway – Add Backend System

SAP_GATEWAY_ADD_SYSTEM

You use this task list on the front-end server to connect an SAP system (back end) to an Gateway system (front end). The task list creates or uses an existing trusted remote function call (RFC) destination, checks the single sign-on (SSO) profile parameters, config-ures the SSO ticket and creates a system alias. Changes are recorded on a customizing request that you have to create or select at the beginning of the task list.

NoteThe task list uses a trusted RFC destination with the current user. Maintain the authorization object S_RFCACL in the back-end system and assign the corresponding role or profile to the current user.

Creating System Alias for Applications [page 30]

Gateway – Maintain System Alias

SAP_GATEWAY_ADD_SYSTEM_ALIAS

You use this task list on the front-end server to create a system alias for an existing remote function call destination. Configure the remote function call destination as trusted. Changes are recorded on a customizing request that you have to create or select at the beginning of the task list.





Gateway – Activate OData Services

SAP_GATEWAY_ACTIVATE_ODATA_SERV

You use this task list on the front-end server to activate OData services for the SAP Fiori apps. OData services provide information about the app tiles to be displayed.

Activate OData Services for Several SAP Fiori Apps [page 84]

SAP Basis – Activate HTTP Services (SICF)

SAP_BASIS_ACTIVATE_ICF_NODES

You use this task list on the front-end server to activate HTTP services (SICF) according to transaction SICF. ICF nodes provide access to web resources.

Activate ICF Services of SAPUI5 Application [page 85]

Enable Embedded Search on work clients


You use this task list for the automatic initial setup of Embedded Search in work clients. This can take a very long time, so start the task list in the background.


On one server in same client:

● Gateway – Basic Configuration

● SAP Fiori Launchpad Initial Setup

● Gateway – Activate OData Services

● SAP Basis – Activate HTTP Services (SICF)

SAP_GW_FIORI_ERP_ONE_CLNT_SETUP

You use this task list to configure Gateway and SAP Fiori on the same client where the S/4HANA system is located. The task list consists of tasks that are available with the following task lists:

● SAP_GATEWAY_BASIC_CONFIG

● SAP_FIORI_LAUNCHPAD_INIT_SETUP

● SAP_GATEWAY_ACTIVATE_ODATA_SERV

● SAP_BASIS_ACTIVATE_ICF_NODES



Go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , open the search result with that title, and navigate to Activating SAP Gateway OData Services and Configuring ICF Nodes.



Procedure

1. Decide which task list you want to execute. Refer to the table above.2. Execute the task lists with the ABAP Task Manager for Lifecycle Management Automation, transaction

STC01.3. Display the documentation that is available in the selected task list.




More Information

For more information about working with task lists in general and the required authorizations, see the Technical Configuration Automation ABAP configuration guide at http://support.sap.com/sltoolset under System Provisioning Install a System using Software Provisioning Manager Configuration Guides - Automated Initial Setup .

For more information about task lists for setting up Enterprise Search, go to http://help.sap.com/s4hana_op_1809, enter Executing Task Manager Task Lists into the search bar, press Enter , and open the search result with that title.

3.5.2 Communication Channels

Use

To transfer application data and security credentials within your SAP Fiori system landscape, communication between the client, the front end, and the back end is established by using different communication channels and protocols:

System Landscape with SAP HANA Database: Communication Channels






Communication Between Client and SAP Web Dispatcher

The client can issue the following types of requests:

● HTML requests● OData requests● InA search requests

SAP Web Dispatcher forwards these requests to the ABAP front-end server or to the relevant back-end server (ABAP or SAP HANA). For communication between SAP Web Dispatcher and the client, an HTTPS connection is established.

Communication Between SAP Web Dispatcher and ABAP Servers

For SAP Fiori search and transactional apps, SAP Web Dispatcher forwards the following types of requests to the ABAP front-end server and the ABAP back-end server:

● ABAP front-end server:○ HTML requests○ OData requests

● ABAP back-end server:○ InA search requests (SAP Fiori search only)

For communication between SAP Web Dispatcher and the ABAP servers, HTTPS connections are established.

Communication Between ABAP Front-End and ABAP Back-End Server

Data and services from the ABAP back-end server are provided for all apps to the ABAP front-end server by using OData services.

For communication between the ABAP front-end server and the ABAP back-end server, a trusted RFC connection is established.

More Information

For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title and navigate to the section Network and Communication Security Transport Layer Security .

For information about setting up communication encryption for SAP HANA, see SAP Help Portal at http://help.sap.com/viewer/p/SAP_HANA_PLATFORM under Security SAP HANA Security Guide SAP HANA Network and Communication Security Securing Data Communication .



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fviewer%2Fp%2FSAP_HANA_PLATFORM


3.5.2.1 ABAP Servers: Setup of Communication

Activities

To set up the connections between SAP Web Dispatcher and the ABAP servers, you must make the following settings:

● Configure HTTP security session management for the ABAP front-end server and for the ABAP back-end server.

● Configure the ABAP front-end server and the ABAP back-end server to support SSL.● For object pages, configure SAP Fiori Search. For more information, see Setup of SAP Fiori Search [page

67].

To set up the connection between SAP Gateway on your ABAP front-end server and the application system on your ABAP back-end server, you must make the following settings:

● Define a trust relationship between the application system on the back-end server and the SAP Gateway system on the front-end server.

● Create an RFC destination in the SAP Gateway system to the application system.● Activate SAP Gateway on the ABAP front-end server.● Create system aliases for applications.

RecommendationTo ensure confidentiality and integrity of data, we recommend protecting HTTP connections by using Transport Layer Security (TLS) or Secure Sockets Layer (SSL).

For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title and navigate to Network and Communication Security Transport Layer Security .

3.5.2.1.1 Configuring ABAP Server Session Security

Use

For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using the transaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:

● HttpOnlyThis attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.

● SecureThis attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.




NoteA token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway SAP Fiori OData services. It protects all modifying requests.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameter http/security_session_timeout.

Logout from Multiple Systems

SAP Fiori apps only support logout with the ABAP front-end server. If additional Gateway systems are deployed, the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.

More Information

For more information about activating HTTP security session management, go to http://help.sap.com/s4hana_op_1809, enter Activating HTTP Security Session Management on AS ABAP into the search bar, press Enter , and open the search result with that title.

For more information about session security protection for Gateway, go to http://help.sap.com/s4hana_op_1809, enter SAP Gateway Foundation Security Guide into the search bar, press Enter , open the search result with that title and navigate to the section Session Security Protection.

3.5.2.1.2 Configuring the AS ABAP to Support SSL

All communication between the client, SAP Web Dispatcher, and the ABAP servers is handled by using HTTPS connections. To secure these HTTPS connections, you must configure all ABAP servers to support the Secure Sockets Layer (SSL) protocol.

For more information about the steps that are required to enable SSL on the ABAP servers, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP to Support SSL into the search bar, press Enter , and open the search result with that title.

NoteFor secure communication between SAP Web Dispatcher and the ABAP servers, SSL must also be enabled for SAP Web Dispatcher. For more information about setting up SSL for SAP Web Dispatcher, see Configuring Communication Channel between Clients and SAP Web Dispatcher [page 32].








3.5.2.1.3 Connect Gateway to Back-End System (Trusted RFC)

Use

In the back-end system, you must create an RFC destination to the Gateway system on your front-end server and define the trust relationship between the back-end system (to be the trusting system) and the Gateway system (to be the trusted system).

NoteYou can perform setup tasks for SAP Fiori by using task lists that SAP delivers. A task list groups configuration tasks logically and guides you through the necessary tasks.

For an overview of all task lists and tasks for SAP Fiori, go to http://help.sap.com/s4hana_op_1809, enter Configuration Using Task Lists into the search bar, press Enter , and open the search result with that title.

The following task list applies for this step:

● SAP_SAP2GATEWAY_TRUSTED_CONFIG

For more information about how to maintain the trust relationship, go to http://help.sap.com/s4hana_op_1809, enter Defining Trust for SAP Systems into the search bar, press Enter , and open the search result with that title.

NoteEnsure that the RFC connection is securely configured.

For information about the required security settings, go to http://help.sap.com/s4hana_op_1809, enter RFC Communication Between SAP Systems into the search bar, press Enter , open the search result with that title and navigate to the section Network Security and Communication.

3.5.2.1.4 Managing RFC Destinations

Use

You define remote function call (RFC) destinations from the ABAP front-end server to the ABAP back-end system(s). Additionally, define an RFC destination that has the front-end server itself as target for local RFC calls.

Prerequisites

You have created the trusted relationship because the back-end servers must already trust the front-end server. For more information, see Connect Gateway to Back-End System (Trusted RFC).







Procedure

1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-End Server) Manage RFC Destinations .

2. Define the required RFC destinations.

For more information about the settings, go to http://help.sap.com/s4hana_op_1809, enter Creating an RFC Destination for SAP Gateway Hub to SAP System into the search bar, press Enter and open the search result with that title.

3.5.2.1.5 Activating Gateway

Use

Before you can use Gateway functionality, you have to activate it globally in your system. You can activate and deactivate Gateway. When you deactivate it, all Gateway services stop running, no consumer servers can communicate with it, and an error message is sent to any system that calls for the services.



You can use the following task list to perform this step:


Prerequisites

Ensure that you have installed and configured the consumer server.

You have completed the installation and post-installation configuration for Gateway. For more information, see Connect Gateway to Back-End System (Trusted RFC) and Managing RFC Destinations.

Procedure

1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-End Server) Activate SAP Gateway .A message displays.




2. Choose Activate.A message displays informing you of the current status.

3.5.2.1.6 Creating System Alias for Applications

Use

An SAP system alias is needed as the logical name of a system connection, that is, you specify where the SAP system alias should point to. Depending on the Gateway content scenario and your system landscape you thus set up the system alias. The system alias is the result of the routing for an inbound request on Gateway. It can be a remote or a local system. If that system alias is flagged as a Local GW (Local Gateway) instance, it means that the system that is responsible for processing (managing and storing) the data of an inbound request is the local Gateway instance itself.

For the SAP Fiori system landscape, you need one system alias pointing to the front-end server with the indicator Local GW selected. For each back-end system that you want to use, you need at least one system alias with the software version Default. If you use approvals in a back-end system, you need an additional system alias for task processing within the workflows used in this back-end system.



The following task lists apply to this step:

● SAP_GATEWAY_ADD_SYSTEM● SAP_GATEWAY_ADD_SYSTEM_ALIAS

Prerequisites

You have defined remote function call (RFC) destinations from the ABAP front-end server to all back-end servers. For more information, see Managing RFC Destinations [page 28].

Procedure

1. In Customizing for SAP NetWeaver, choose UI Technologies SAP Fiori Initial Setup Connection Settings (Front-End Server to ABAP Back-End Server) Define SAP System Alias .

2. Choose New Entries.




3. Create the following SAP system aliases:○ For the front-end server: One SAP system alias with the Local GW indicator selected.○ For each back-end system: One SAP system alias with the corresponding RFC destination assigned

and the software version Default.○ For each back-end system for which you use approval apps: One additional SAP system alias for task

processing with the following parameters:○ Local GW: Not selected○ For Local App: Selected○ Software Version: Select the relevant data provider, such as /IWPGW/BWF.

For more information about further settings, go to http://help.sap.com/s4hana_op_1809, enter Creating an SAP System Alias into the search bar, press Enter , and open the search result with that title.

4. For proper functioning of remote SAP GUI and Web Dynpro ABAP applications integrated into SAP Fiori launchpad, you need to repeat the configuration of system aliases for remote systems in the launchpad configuration tables as well. For each connected back-end system, perform the following:○ Establish connections between front-end server and back-end systems (you can reuse RFC destination

of connection type 3 created for SAP Gateway).○ Register the back-end server location as safe host in the HTTP_WHITELIST table.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Using a Whitelist for Clickjacking Framing Protection into the search bar, press Enter , and open the search result with that title.

○ Map the connections to system aliases.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Integrating Remote Content into the search bar, press Enter , and open the search result with that title.

3.5.2.2 SAP Web Dispatcher: Setup of Communication

We recommend using the latest SAP Web Dispatcher version. For more information, see SAP Note 908097 .

Activities

To set up the connection between the client and SAP Web Dispatcher, you must make the following settings:

● Configure SAP Web Dispatcher to support SSL.● Configure the SAP Web Dispatcher server port.


● Define routing rules for SAP Web Dispatcher.● If you use X.509 client certificates for authentication at the ABAP servers, configure a trust relationship

between SAP Web Dispatcher and the ICM of the ABAP servers.







For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title, and navigate to Network and Communication Security Transport Layer Security .

3.5.2.2.1 Configuring Communication Channel between Clients and SAP Web Dispatcher

Use

To facilitate communication between the browser and the different systems in the SAP Fiori system landscape, you use SAP Web Dispatcher as a reverse proxy to ensure queries from the browser are correctly directed to the appropriate system.

As SAP Fiori apps access multiple back-end systems but JavaScript code is constrained by the Same Origin Policy, all systems are exposed to the browser through the reverse proxy, which brings them into a common origin (combination of protocol, host name, and port).

NoteYou can configure SAP Web Dispatcher to be able to handle a high load of incoming requests.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Configuring SAP Web Dispatcher for High System Load Due to Inbound Requests into the search bar, press Enter , and open the search result with that title.

Prerequisites

You have implemented SAP Web Dispatcher.

Procedure

Configure SAP Web Dispatcher to Support SSL

All communication to back-end systems should be handled using HTTPS requests and SAP Web Dispatcher itself should be called using only HTTPS.

1. Open the Web Dispatcher profile.2. To configure HTTPS settings, you can copy the following source code and adapt it to your business

requirements:

ssl/ssl_lib = <sapcrypto dll> ssl/server_pse = <pse> icm/HTTPS/verify_client = 0 ssl/client_pse = <pse>





wdisp/ssl_encrypt = 1 wdisp/ssl_auth = 2 wdisp/ssl_cred = <pse> icm/HTTPS/forward_ccert_as_header = true

For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter Configure SAP Web Dispatcher to Support SSL into the search bar, press Enter , and open the search result with that title.

Configure SAP Web Dispatcher Server Port

In order to satisfy the requirement of the Same Origin Policy, all systems in an SAP Fiori app landscape have to be served by a single Web server access point. Therefore, you configure a single icm/server_port in SAP Web Dispatcher to serve all back-end systems of an SAP Fiori scenario.

1. Open the Web Dispatcher profile.2. To configure the ports, you can copy the following source code and adapt it to your business requirements:

icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=120

Additional parameters needed by SAP Fiori for correct request routing:

wdisp/system_conflict_resolution = FIRST_MATCH wdisp/handle_webdisp_ap_header = SET wdisp/add_xforwardedfor_header = true

For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter Configuration of the Web Dispatcher Server Port into the search bar, press Enter , and open the search result with that title.

3.5.2.2.2 Defining Routing Rules for SAP Web Dispatcher and ABAP Front End

Use

For object pages, a connection is established between the ABAP front-end server (Gateway) and SAP Web Dispatcher. You define the routing rules to the required target system to ensure that requests are directed to the correct server.

For the connection between ABAP front-end server and SAP Web Dispatcher, you need the following routing rules:

URL Prefix Target System

/sap/bc Gateway

/sap/public Gateway

/sap/opu Gateway




Prerequisites

For more information about the prerequisites, see Configuring Communication Channel between Clients and SAP Web Dispatcher.

Procedure

RecommendationSAP recommends that only those requests corresponding to the services required for the applications that you want to use should be routed to the application servers.

1. Open the Web Dispatcher profile.2. Configure SAP Web Dispatcher for the Gateway server.

To configure the SAP Web Dispatcher for the Gateway server, you can copy the following source code and adapt it to your business requirements.

wdisp/system_0 = SID=<SID of the Gateway system>, MSHOST=<host name of Gateway system's message server>, MSPORT=<HTTP port of the Gateway system's message server>, SRCSRV=*:443, SRCURL=/sap/opu;/sap/bc;/sap/public

NoteThe SRCSRV and the CLIENT parameter are optional. For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter wdisp/system_<xx> into the search bar, press Enter , and open the search result with that title.

If you configure multiple wdisp/system_xx parameters, make sure you use different indexes.

3.5.2.2.3 Defining Routing Rules for SAP Web Dispatcher and ABAP Back End

Use

For object pages, a connection is established between the ABAP back-end server and SAP Web Dispatcher. You define the routing rules to the required target system to ensure that requests are directed to the correct server.

For the connection between ABAP back-end server and SAP Web Dispatcher, you need the following routing rules:


/sap/es/ina Back-end server where Enterprise Search is installed




Prerequisites


Procedure


NoteThe backend systems provide the following two different types of service:

● Classic applications (Web Dynpro ABAP, SAP GUI for HTML) started by the SAP Fiori launchpad but running in the backend systemClassic applications run inside an iFrame. They have to be configured on a separate virtual host. One virtual host has to be used for each backend system.A virtual host is the combination of hostname and port number in the URL. The following are three different virtual hosts:https://erp.acme.com:443https://erp.acme.com:44301/https://scm.acme.com:443

● Services used inside the SAP Fiori launchpad page retrieving data from the backend system, such as Enterprise Search (https://<fes virtual host>/sap/es/ina)They are consumed with XMLHttpRequest using JavaScript and have to be configured in the same virtual host as the frontend server.

1. Open the Web Dispatcher profile.2. Configure SAP Web Dispatcher for the back-end server where the Enterprise Search is installed. To

configure the SAP Web Dispatcher for the back-end server where the Enterprise Search is installed, you can copy the following source code and adapt it to your business requirements:

wdisp/system_1 = SID=<SID of the back-end server>, MSHOST=<host name of back-end server system's message server>, MSPORT=<HTTP port of the back-end server system's message server>, SRCSRV=*:443, SRCURL=/sap/es/, CLIENT=200

Note

The SRCSRV is optional. For more information about the CLIENT parameter, see SAP Note 1963456 .

For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter wdisp/system_<xx> into the search bar, press Enter , and open the search result with that title.





3.5.2.2.4 Configuring Trust Between SAP Web Dispatcher and ABAP Servers

For initial authentication at the ABAP front-end server and authentication for search requests at the ABAP back-end server (object pages), you can use different authentication methods, including X.509 certificates. If you want to use X.509 certificates, you must set up a trusted relationship between SAP Web Dispatcher and the Internet Communication Manager (ICM) of the relevant ABAP servers.

For more information about the steps that are required to configure the trusted relationship, go to http://help.sap.com/s4hana_op_1809, enter Configuring SAP Web Dispatcher and ABAP Servers for X.509-Based Logon (Optional) into the search bar, press Enter , and open the search result with that title.

3.5.2.3 User Authentication and Single Sign-On (SSO)

Use

System Landscape: User Authentication and Single Sign-On





Overview

The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems

After initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the ABAP back-end server. For these requests to back-end servers, additional configuration of SSO mechanisms for authentication may be required.

Requests to the ABAP back-end server

Apps send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication, a security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC.

For search in SAP Fiori launchpad, applications send InA search requests from the client to the SAP HANA database. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.

3.5.2.3.1 Setting Up SSO for SAP Fiori and SAP S/4HANA

Use

For SAP Fiori landscapes with SAP S/4HANA, you must configure an single sign-on (SSO) mechanism for initial authentication on the ABAP front-end server. After initial authentication, any requests to back-end ABAP systems are communicated securely by trusted RFC.

Procedure

To set up single sign-on for a system landscape with SAP S/4HANA, proceed as follows:

1. Configure initial authentication on the ABAP front-end server.2. Configure authentication for requests to the ABAP back-end server:

○ Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.


○ For search in the SAP Fiori launchpad, configure authentication in the back-end server, which processes the search requests. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.





More Information

● For more information about specific SSO mechanisms for authentication, see SSO Mechanisms for SAP Fiori Apps.

● For more information about how to set up a trusted RFC, go to http://help.sap.com/s4hana_op_1809, enter RFC Scenarios into the search bar, press Enter , and open the search result with that title.

● For more information about configuring SAP Fiori search, see Setup of SAP Fiori Search [page 67].

3.5.2.3.2 SSO Mechanisms for SAP Fiori Apps

The following authentication and single sign-on (SSO) mechanisms are supported for SAP Fiori apps:

● Kerberos/SPNego● X.509 Certificates● SAML 2.0● Logon Tickets

3.5.2.3.2.1 Kerberos/SPNego

Use

If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. This authentication is especially recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory.





Kerberos/SPNego authentication provides the following advantages:

● It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windows workstation. A separate logon to the ABAP front-end server is not required.

● It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

● It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory). As this system is typically located within the corporate network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios. To enable Single Sign-On with Kerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms, such as X.509 certificates or an SAML Identity Provider.

For an overview of SAP Single Sign-On, see http://www.sap.com/pc/tech/security/software/single-sign-on/index.html .

Configuration

For more information about the configuration that is required for Kerberos/SPNego, see the Secure Login for SAP Single Sign-On Implementation Guide on SAP Help Portal at http://help.sap.com/sapsso .

3.5.2.3.2.2 X.509 Certificates

Use

If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring the required back-end systems (ABAP or SAP HANA) to accept X.509 certificates.

Authentication with X.509 certificates provides the following advantages:

● It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.

● It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a mobile device management software, for example SAP Afaria.

RecommendationAs X.509 certificates remain valid for a relatively long time, we recommend that you minimize the security risk by implementing a method to revoke the certificates, for example if a mobile device is lost.


http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.sap.com%2Fpc%2Ftech%2Fsecurity%2Fsoftware%2Fsingle-sign-on%2Findex.html


http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsapsso

Configuration

For information about the configuration that is required for X.509 certificates, go to http://help.sap.com/s4hana_op_1809, enter Configuring the AS ABAP to Use X.509 Client Certificates into the search bar, press Enter , and open the search result with that title.

3.5.2.3.2.3 SAML 2.0

Use

If you have implemented the security assertion markup language (SAML) version 2.0 as the method of single sign-on (SSO) within your organization, you can configure the ABAP front-end server for use with SAML 2.0.

This authentication method provides the following advantages:

● It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains, where trust configuration can be complicated.

● It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the SAP user name attribute or a user's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable single sign-on with SAML 2.0 in internet-facing deployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity Provider is securely accessible from outside your corporate network.

NoteIn the SAP Fiori system landscape, SAML 2.0 is supported only for communication with the ABAP front-end server.

Configuration

For information about the configuration that is required for using SAML 2.0, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP as a Service Provider into the search bar, press Enter , and open the search result with that title.

3.5.2.3.2.4 Logon Tickets

Use

For logon tickets, you must configure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing system, such as a portal, in your landscape that already issues logon tickets. In addition, you







must configure the required back-end systems (ABAP or SAP HANA) to accept logon tickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP HANA; user mapping is not supported.

As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system landscape are located within the same DNS domain.

RecommendationThe new standardized authentication methods Kerberos/SPNego, X.509 certificates, and SAML 2.0 provide additional security and flexibility features compared to proprietary logon tickets. For example, you can define user mappings and shorten token validity periods or session lifetimes on the server. Therefore, we recommend using Kerberos/SPNego, X.509 certificates, or SAML 2.0 where technically possible.



The following task list includes a task for importing the system certificate from a remote system and adding the remote system to the Access Control List (ACL) according to transaction STRUSTSSO2:


Configuration

For information about the configuration that is required for using logon tickets, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP to Accept Logon Tickets into the search bar, press Enter , and open the search result with that title.

3.6 Using an Existing Back-End Server (Embedded Deployment)

The SAP Fiori frontend server can be installed along with a SAP S/4HANA backend server (embedded deployment). While installing the SAP S/4HANA system, you can add additional front end components when you plan the installation/upgrade in the SAP Maintenance Planner.





3.6.1 Configuration Using Task Lists

Use

You can perform ABAP system configuration tasks in an automated way by using predefined task lists.

For SAP Fiori, task lists support you in setting up and configuring the communication channels between the client, the front-end, and the back-end servers.

Prerequisites

● You are assigned the necessary roles to execute task lists.For more information, go to http://help.sap.com/s4hana_op_1809, enter Configuration using ABAP Task Manager for Lifecycle Management Automation into the search bar, press Enter , open the search result with that title and navigate to Standard Roles and Permissions.

Features

The following table lists the predefined task lists that are available for SAP Fiori. When you execute a task list, the system guides you through the configuration of the tasks that are included in the task list. In addition, the task list contains documentation that describes the tasks in the task list in more detail. After executing a task list, you do not have to execute the corresponding tasks manually.


Gateway – Basic Config-uration

SAP_GATEWAY_BASIC_CONFIG

You use this task list on the front-end server to perform basic configuration steps for Gateway.


SAP Fiori Launchpad Initial Setup

SAP_FIORI_LAUNCHPAD_INIT_SETUP

You use this task list on the front-end server to activate launchpad OData and HTTP services on an Gateway system (front end).

Setup of SAP Fiori Launchpad [page 59]

Create Trusted Connection from SAP System to Gateway

SAP_SAP2GATEWAY_TRUSTED_CONFIG

You use this task list on the back-end server to create a trusted connection from an SAP system to Gateway.

NoteYou have to execute this task list in dialog.

Connect Gateway to Back-End System (Trusted RFC) [page 28]

Logon Tickets [page 40]

ABAP Servers: Setup of Communication [page 26]

Setting Up SSO for SAP Fiori and SAP S/4HANA [page 37]





Enable Embedded Search


You use this task list for the automatic initial setup of Embedded Search in the working client. This task list executes the obligatory preparation steps for the implementation of Embedded Search. This can take a very long time, so start the task list in the background.


Gateway – Add Backend System

SAP_GATEWAY_ADD_SYSTEM

You use this task list on the front-end server to connect an SAP system (back end) to an Gateway system (front end). The task list creates or uses an existing trusted remote function call (RFC) destination, checks the single sign-on (SSO) profile parameters, config-ures the SSO ticket and creates a system alias. Changes are recorded on a customizing request that you have to create or select at the beginning of the task list.

NoteThe task list uses a trusted RFC destination with the current user. Maintain the authorization object S_RFCACL in the back-end system and assign the corresponding role or profile to the current user.


Gateway – Maintain System Alias

SAP_GATEWAY_ADD_SYSTEM_ALIAS

You use this task list on the front-end server to create a system alias for an existing remote function call destination. Configure the remote function call destination as trusted. Changes are recorded on a customizing request that you have to create or select at the beginning of the task list.




Gateway – Activate OData Services

SAP_GATEWAY_ACTIVATE_ODATA_SERV

You use this task list on the front-end server to activate OData services for the SAP Fiori apps. OData services provide information about the app tiles to be displayed.


SAP Basis – Activate HTTP Services (SICF)

SAP_BASIS_ACTIVATE_ICF_NODES

You use this task list on the front-end server to activate HTTP services (SICF) according to transaction SICF. ICF nodes provide access to web resources.


Enable Embedded Search on work clients


You use this task list for the automatic initial setup of Embedded Search in work clients. This can take a very long time, so start the task list in the background.


On one server in same client:

● Gateway – Basic Configuration

● SAP Fiori Launchpad Initial Setup

● Gateway – Activate OData Services

● SAP Basis – Activate HTTP Services (SICF)

SAP_GW_FIORI_ERP_ONE_CLNT_SETUP

You use this task list to configure Gateway and SAP Fiori on the same client where the S/4HANA system is located. The task list consists of tasks that are available with the following task lists:




● SAP_BASIS_ACTIVATE_ICF_NODES



Go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , open the search result with that title, and navigate to Activating SAP Gateway OData Services and Configuring ICF Nodes.



Procedure

1. Decide which task list you want to execute. Refer to the table above.2. Execute the task lists with the ABAP Task Manager for Lifecycle Management Automation, transaction

STC01.3. Display the documentation that is available in the selected task list.





More Information

For more information about working with task lists in general and the required authorizations, see the Technical Configuration Automation ABAP configuration guide at http://support.sap.com/sltoolset under System Provisioning Install a System using Software Provisioning Manager Configuration Guides - Automated Initial Setup .

For more information about task lists for setting up Enterprise Search, go to http://help.sap.com/s4hana_op_1809, enter Executing Task Manager Task Lists into the search bar, press Enter , and open the search result with that title.

3.6.2 Communication Channels

Use

To transfer application data and security credentials within your SAP Fiori system landscape, communication between the client, the front end, and the back end is established by using different communication channels and protocols:

System Landscape with SAP HANA Database: Communication Channels





Communication Between Client and SAP Web Dispatcher

The client can issue the following types of requests:

● HTML requests● OData requests● InA search requests

SAP Web Dispatcher forwards these requests to the ABAP front-end server or to the relevant back-end server (ABAP or SAP HANA). For communication between SAP Web Dispatcher and the client, an HTTPS connection is established.

Communication Between SAP Web Dispatcher and ABAP Servers

For SAP Fiori search and transactional apps, SAP Web Dispatcher forwards the following types of requests to the ABAP front-end server and the ABAP back-end server:

● ABAP front-end server:○ HTML requests○ OData requests

● ABAP back-end server:○ InA search requests (SAP Fiori search only)

For communication between SAP Web Dispatcher and the ABAP servers, HTTPS connections are established.

Communication Between ABAP Front-End and ABAP Back-End Server

Data and services from the ABAP back-end server are provided for all apps to the ABAP front-end server by using OData services.

For communication between the ABAP front-end server and the ABAP back-end server, a trusted RFC connection is established.

More Information

For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title and navigate to the section Network and Communication Security Transport Layer Security .

For information about setting up communication encryption for SAP HANA, see SAP Help Portal at http://help.sap.com/viewer/p/SAP_HANA_PLATFORM under Security SAP HANA Security Guide SAP HANA Network and Communication Security Securing Data Communication .






3.6.2.1 ABAP Servers: Setup of Communication

Activities


● Configure HTTP security session management for the ABAP front-end server and for the ABAP back-end server.

● Configure the ABAP front-end server and the ABAP back-end server to support SSL.● For object pages, configure SAP Fiori Search. For more information, see Setup of SAP Fiori Search [page

67].

To set up the connection between SAP Gateway on your ABAP front-end server and the application system on your ABAP back-end server, you must make the following settings:

● Define a trust relationship between the application system on the back-end server and the SAP Gateway system on the front-end server.

● Create an RFC destination in the SAP Gateway system to the application system.● Activate SAP Gateway on the ABAP front-end server.● Create system aliases for applications.


For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title and navigate to Network and Communication Security Transport Layer Security .

3.6.2.1.1 Configuring ABAP Server Session Security

Use

For the ABAP front-end server and the ABAP back-end server running Enterprise Search, you must activate HTTP security session management by using the transaction SICF_SESSIONS. When you activate HTTP security session management, we recommend that you activate the following extra protection for security-related cookies:

● HttpOnlyThis attribute instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.

● SecureThis attribute instructs the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.



NoteA token-based protection against cross-site request forgery (CSRF) is active by default in SAP Gateway SAP Fiori OData services. It protects all modifying requests.

In addition, we recommend configuring HTTP session expiration with a reasonable timeout. To configure this, you use the profile parameter http/security_session_timeout.

Logout from Multiple Systems

SAP Fiori apps only support logout with the ABAP front-end server. If additional Gateway systems are deployed, the corresponding HTTP sessions are not closed when the user logs out. In this case, it is important to have session expiration configured.

More Information

For more information about activating HTTP security session management, go to http://help.sap.com/s4hana_op_1809, enter Activating HTTP Security Session Management on AS ABAP into the search bar, press Enter , and open the search result with that title.

For more information about session security protection for Gateway, go to http://help.sap.com/s4hana_op_1809, enter SAP Gateway Foundation Security Guide into the search bar, press Enter , open the search result with that title and navigate to the section Session Security Protection.

3.6.2.1.2 Configuring the AS ABAP to Support SSL

All communication between the client, SAP Web Dispatcher, and the ABAP servers is handled by using HTTPS connections. To secure these HTTPS connections, you must configure all ABAP servers to support the Secure Sockets Layer (SSL) protocol.

For more information about the steps that are required to enable SSL on the ABAP servers, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP to Support SSL into the search bar, press Enter , and open the search result with that title.

NoteFor secure communication between SAP Web Dispatcher and the ABAP servers, SSL must also be enabled for SAP Web Dispatcher. For more information about setting up SSL for SAP Web Dispatcher, see Configuring Communication Channel between Clients and SAP Web Dispatcher [page 32].

3.6.2.2 SAP Web Dispatcher: Setup of Communication

We recommend using the latest SAP Web Dispatcher version. For more information, see SAP Note 908097 .










Activities

To set up the connection between the client and SAP Web Dispatcher, you must make the following settings:

● Configure SAP Web Dispatcher to support SSL.● Configure the SAP Web Dispatcher server port.


● Define routing rules for SAP Web Dispatcher.● If you use X.509 client certificates for authentication at the ABAP servers, configure a trust relationship

between SAP Web Dispatcher and the ICM of the ABAP servers.


For information about setting up communication encryption, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , open the search result with that title, and navigate to Network and Communication Security Transport Layer Security .

3.6.2.2.1 Configuring Communication Channel between Clients and SAP Web Dispatcher

Use

To facilitate communication between the browser and the different systems in the SAP Fiori system landscape, you use SAP Web Dispatcher as a reverse proxy to ensure queries from the browser are correctly directed to the appropriate system.

As SAP Fiori apps access multiple back-end systems but JavaScript code is constrained by the Same Origin Policy, all systems are exposed to the browser through the reverse proxy, which brings them into a common origin (combination of protocol, host name, and port).

NoteYou can configure SAP Web Dispatcher to be able to handle a high load of incoming requests.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Configuring SAP Web Dispatcher for High System Load Due to Inbound Requests into the search bar, press Enter , and open the search result with that title.




Prerequisites

You have implemented SAP Web Dispatcher.

Procedure

Configure SAP Web Dispatcher to Support SSL

All communication to back-end systems should be handled using HTTPS requests and SAP Web Dispatcher itself should be called using only HTTPS.

1. Open the Web Dispatcher profile.2. To configure HTTPS settings, you can copy the following source code and adapt it to your business

requirements:

ssl/ssl_lib = <sapcrypto dll> ssl/server_pse = <pse> icm/HTTPS/verify_client = 0 ssl/client_pse = <pse> wdisp/ssl_encrypt = 1 wdisp/ssl_auth = 2 wdisp/ssl_cred = <pse> icm/HTTPS/forward_ccert_as_header = true

For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter Configure SAP Web Dispatcher to Support SSL into the search bar, press Enter , and open the search result with that title.

Configure SAP Web Dispatcher Server Port

In order to satisfy the requirement of the Same Origin Policy, all systems in an SAP Fiori app landscape have to be served by a single Web server access point. Therefore, you configure a single icm/server_port in SAP Web Dispatcher to serve all back-end systems of an SAP Fiori scenario.

1. Open the Web Dispatcher profile.2. To configure the ports, you can copy the following source code and adapt it to your business requirements:

icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=120

Additional parameters needed by SAP Fiori for correct request routing:

wdisp/system_conflict_resolution = FIRST_MATCH wdisp/handle_webdisp_ap_header = SET wdisp/add_xforwardedfor_header = true

For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter Configuration of the Web Dispatcher Server Port into the search bar, press Enter , and open the search result with that title.





3.6.2.2.2 Defining Routing Rules for SAP Web Dispatcher and ABAP Front End

Use

For object pages, a connection is established between the ABAP front-end server (Gateway) and SAP Web Dispatcher. You define the routing rules to the required target system to ensure that requests are directed to the correct server.

For the connection between ABAP front-end server and SAP Web Dispatcher, you need the following routing rules:


/sap/bc Gateway

/sap/public Gateway

/sap/opu Gateway

Prerequisites


Procedure


1. Open the Web Dispatcher profile.2. Configure SAP Web Dispatcher for the Gateway server.

To configure the SAP Web Dispatcher for the Gateway server, you can copy the following source code and adapt it to your business requirements.

wdisp/system_0 = SID=<SID of the Gateway system>, MSHOST=<host name of Gateway system's message server>, MSPORT=<HTTP port of the Gateway system's message server>, SRCSRV=*:443, SRCURL=/sap/opu;/sap/bc;/sap/public


NoteThe SRCSRV and the CLIENT parameter are optional. For more information about the parameters, go to http://help.sap.com/s4hana_op_1809, enter wdisp/system_<xx> into the search bar, press Enter , and open the search result with that title.


3.6.2.2.3 Configuring Trust Between SAP Web Dispatcher and ABAP Servers

For initial authentication at the ABAP front-end server and authentication for search requests at the ABAP back-end server (object pages), you can use different authentication methods, including X.509 certificates. If you want to use X.509 certificates, you must set up a trusted relationship between SAP Web Dispatcher and the Internet Communication Manager (ICM) of the relevant ABAP servers.

For more information about the steps that are required to configure the trusted relationship, go to http://help.sap.com/s4hana_op_1809, enter Configuring SAP Web Dispatcher and ABAP Servers for X.509-Based Logon (Optional) into the search bar, press Enter , and open the search result with that title.






3.6.2.3 User Authentication and Single Sign-On (SSO)

Use

System Landscape: User Authentication and Single Sign-On

Overview

The authentication concept for SAP Fiori apps comprises initial user authentication on the ABAP front-end server, followed by authentication of all requests to back-end systems.

Initial Authentication

When a user launches an SAP Fiori app, the launch request is sent from the client to the ABAP front-end server by the SAP Fiori launchpad. During launch, the ABAP front-end server authenticates the user by using one of the supported authentication and single sign-on (SSO) mechanisms. We recommend setting up SSO, thereby enabling users to start SAP Fiori apps using their single, existing credentials. As a fallback option, initial authentication can be based on the users' passwords on the ABAP front-end server. SAP provides a dedicated logon handler for form-based logon. After initial authentication on the ABAP front-end server, a security session is established between the client and the ABAP front-end server.

Authentication for Requests in the Back-End Systems


After initial authentication on the ABAP front-end server, the SAP Fiori apps and the SAP Fiori launchpad can send requests to the ABAP back-end server. For these requests to back-end servers, additional configuration of SSO mechanisms for authentication may be required.

Requests to the ABAP back-end server

Apps send OData requests through the ABAP front-end server towards the ABAP back-end server. After initial authentication, a security session is established between the client and the ABAP front-end server. OData requests towards the ABAP back-end server are then communicated securely by trusted RFC.

For search in SAP Fiori launchpad, applications send InA search requests from the client to the SAP HANA database. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.

3.6.2.3.1 Setting Up SSO for SAP Fiori and SAP S/4HANA

Use

For SAP Fiori landscapes with SAP S/4HANA, you must configure an single sign-on (SSO) mechanism for initial authentication on the ABAP front-end server. After initial authentication, any requests to back-end ABAP systems are communicated securely by trusted RFC.

Procedure

To set up single sign-on for a system landscape with SAP S/4HANA, proceed as follows:

1. Configure initial authentication on the ABAP front-end server.2. Configure authentication for requests to the ABAP back-end server:

○ Configure a trusted RFC connection between the ABAP front-end server and the ABAP back-end server.

○ For search in the SAP Fiori launchpad, configure authentication in the back-end server, which processes the search requests. These requests can be authenticated with Kerberos/SPNego, X.509 certificates, or logon tickets. You can configure the ABAP front-end server to issue logon tickets after initial authentication, or you can use your existing portal to do so.








More Information

● For more information about specific SSO mechanisms for authentication, see SSO Mechanisms for SAP Fiori Apps.

● For more information about how to set up a trusted RFC, go to http://help.sap.com/s4hana_op_1809, enter RFC Scenarios into the search bar, press Enter , and open the search result with that title.

● For more information about configuring SAP Fiori search, see Setup of SAP Fiori Search [page 67].

3.6.2.3.2 SSO Mechanisms for SAP Fiori Apps

The following authentication and single sign-on (SSO) mechanisms are supported for SAP Fiori apps:

● Kerberos/SPNego● X.509 Certificates● SAML 2.0● Logon Tickets

3.6.2.3.2.1 Kerberos/SPNego

Use

If you access SAP Fiori apps from within your corporate network, you can enable Kerberos/SPNego authentication for the ABAP front-end server. This authentication is especially recommended, if you already have a Kerberos/SPNego infrastructure in place, for example, if you use Microsoft Active Directory.

Kerberos/SPNego authentication provides the following advantages:

● It simplifies the logon process by reusing credentials that have already been provided, for example, during logon to the Microsoft Windows workstation. A separate logon to the ABAP front-end server is not required.

● It is also supported for logon to the SAP GUI. Using Kerberos for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

● It is supported by a growing number of mobile device vendors.

During logon, Kerberos/SPNego authentication requires access to an issuing system (for example, Microsoft Active Directory). As this system is typically located within the corporate network, Kerberos/SPNego cannot be used for most internet-facing deployment scenarios. To enable Single Sign-On with Kerberos/SPNego authentication from outside your corporate network, you might have to set up a VPN connection.

Kerberos/SPNego is available with the SAP Single Sign-On product, which also provides additional authentication mechanisms, such as X.509 certificates or an SAML Identity Provider.

For an overview of SAP Single Sign-On, see http://www.sap.com/pc/tech/security/software/single-sign-on/index.html .





Configuration

For more information about the configuration that is required for Kerberos/SPNego, see the Secure Login for SAP Single Sign-On Implementation Guide on SAP Help Portal at http://help.sap.com/sapsso .

3.6.2.3.2.2 X.509 Certificates

Use

If you have implemented a public-key infrastructure (PKI) for user authentication in your organization, you can use X.509 certificates by configuring the required back-end systems (ABAP or SAP HANA) to accept X.509 certificates.

Authentication with X.509 certificates provides the following advantages:

● It does not require an issuing system during logon, which means that it works well in internet-facing scenarios.

● It is also supported for logon to the SAP GUI. Using X.509 certificates for both SAP GUI and HTTP access simplifies the Single Sign-On setup within your system landscape.

X.509 certificates must be distributed to the workstations and devices that are used to access SAP Fiori apps. For mobile devices, this distribution can be performed centrally by a mobile device management software, for example SAP Afaria.

RecommendationAs X.509 certificates remain valid for a relatively long time, we recommend that you minimize the security risk by implementing a method to revoke the certificates, for example if a mobile device is lost.

Configuration

For information about the configuration that is required for X.509 certificates, go to http://help.sap.com/s4hana_op_1809, enter Configuring the AS ABAP to Use X.509 Client Certificates into the search bar, press Enter , and open the search result with that title.

3.6.2.3.2.3 SAML 2.0

Use

If you have implemented the security assertion markup language (SAML) version 2.0 as the method of single sign-on (SSO) within your organization, you can configure the ABAP front-end server for use with SAML 2.0.



http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fsapsso



This authentication method provides the following advantages:

● It includes extensive federation capabilities, which means that it works well in scenarios with federated user domains, where trust configuration can be complicated.

● It includes extensive user mapping capabilities that enable you to map SAP users based on identity attributes, such as the SAP user name attribute or a user's e-mail address. This means that SAML 2.0 works well for scenarios with multiple user domains.

During logon, SAML 2.0 authentication requires access to an issuing system (Identity Provider). To enable single sign-on with SAML 2.0 in internet-facing deployment scenarios that leverage its federation capabilities, you must ensure that the SAML Identity Provider is securely accessible from outside your corporate network.

NoteIn the SAP Fiori system landscape, SAML 2.0 is supported only for communication with the ABAP front-end server.

Configuration

For information about the configuration that is required for using SAML 2.0, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP as a Service Provider into the search bar, press Enter , and open the search result with that title.

3.6.2.3.2.4 Logon Tickets

Use

For logon tickets, you must configure the ABAP front-end server to issue logon tickets. Alternatively, you can use an existing system, such as a portal, in your landscape that already issues logon tickets. In addition, you must configure the required back-end systems (ABAP or SAP HANA) to accept logon tickets. You must also ensure that users in the ABAP system have the same user names as the database users in SAP HANA; user mapping is not supported.

As logon tickets are transferred as browser cookies, you can only use this authentication mechanism if all systems in your system landscape are located within the same DNS domain.

RecommendationThe new standardized authentication methods Kerberos/SPNego, X.509 certificates, and SAML 2.0 provide additional security and flexibility features compared to proprietary logon tickets. For example, you can define user mappings and shorten token validity periods or session lifetimes on the server. Therefore, we recommend using Kerberos/SPNego, X.509 certificates, or SAML 2.0 where technically possible.






The following task list includes a task for importing the system certificate from a remote system and adding the remote system to the Access Control List (ACL) according to transaction STRUSTSSO2:


Configuration

For information about the configuration that is required for using logon tickets, go to http://help.sap.com/s4hana_op_1809, enter Configuring AS ABAP to Accept Logon Tickets into the search bar, press Enter , and open the search result with that title.






4 Configuration of SAP Fiori Infrastructure

In this section, you set up the central SAP Fiori infrastructure before installing individual apps in your SAP Fiori system landscape.

For information on how to deploy SAP Fiori apps, also see SAP S/4HANA Fiori Apps Deployment at https://rapid.sap.com/bp/#/browse/categories/sap_s%254hana/areas/on-premise/packageversions/BP_S4H_UX/NWG/20/XX/2/EN/scopeitemversions/4595d0343e83404ca2e8239d5a9cfcbe .

4.1 Setup of SAP Fiori Launchpad

NoteThis section is only relevant for the hub deployment scenario.

Use

The SAP Fiori launchpad is the entry point to the apps, from desktop and mobile devices. You need to configure the SAP Fiori launchpad so that users can access those apps that have been assigned to their respective role.

For information about the configuration tasks for the SAP Fiori launchpad, go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , open the search result with that title and navigate to Activating SAP Gateway OData Services and Configuring ICF Nodes.


For an overview of all task lists and tasks for SAP Fiori, see Configuration Using Task Lists [page 21].

The following task list applies to this step:


4.2 Configuration of the SAP Fiori Launchpad

SAP offers several options to adapt the SAP Fiori launchpad to your needs, allowing you to make use of additional features and change the visual appearance of the launchpad.

UI Technology Guide for SAP S/4HANA 1809Configuration of SAP Fiori Infrastructure P U B L I C 59

http://help.sap.com/disclaimer?site=https%3A%2F%2Frapid.sap.com%2Fbp%2F%23%2Fbrowse%2Fcategories%2Fsap_s%25254hana%2Fareas%2Fon-premise%2Fpackageversions%2FBP_S4H_UX%2FNWG%2F20%2FXX%2F2%2FEN%2Fscopeitemversions%2F4595d0343e83404ca2e8239d5a9cfcbe





We recommend evaluating the available options and configuring or activating those that fit to your needs. For an overview of the available options, go to http://help.sap.com/s4hana_op_1809, enter SAP Fiori Launchpad into the search bar, press Enter , open the search result with that title, and navigate to Administration GuideConfiguring the Launchpad .

We especially recommend activating the following features:

1. Notifications in the LaunchpadFor details, go to http://help.sap.com/s4hana_op_1809, enter Enabling Notifications in the Launchpad into the search bar, press Enter , and open the search result with that title.

2. In-Place Navigation for Classic UIsFor details, go to http://help.sap.com/s4hana_op_1809, enter Configuring In-Place Navigation for Classic UIs into the search bar, press Enter , and open the search result with that title.

3. Improved performance for launching SAP GUI for HTML appsFor details, go to http://help.sap.com/s4hana_op_1809, enter Improving Navigation Performance for SAP GUI Applications into the search bar, press Enter , and open the search result with that title.

NoteThe following product versions are required for the features In-Place Navigation for Classic UIs and Improved performance for launching SAP GUI for HTML apps:

● On the front-end server: SAPUI5 Version 1.56.x (which is contained in SAP Fiori Front-End Server 5.0)● On the back-end: SAP Kernel 773 (which is part of the software stack of SAP S/4HANA 1809)

Note that in case of a mixed backend scenario in which other backend products with a lower kernel version are connected to your front-end server, the features are not supported.

4.3 Create RFC Connection for Back-End Transactions (Object Pages)

Context

From object pages, you can access the back-end server and start transactions there (in SAP GUI or Web Dynpro). To enable this, you need to establish a connection between the SAP Fiori launchpad and the back-end system. Perform the following steps on the front-end server:

NoteFrom mobile devices or tablets, you cannot access SAP GUI or Web Dynpro transactions through the SAP Fiori launchpad.

60 P U B L I CUI Technology Guide for SAP S/4HANA 1809Configuration of SAP Fiori Infrastructure





Procedure

1. Identify the system alias for the back-end transactions as follows:1. Run transaction Overview of Launchpads (LPD_CUST) on the front-end server.2. Select the relevant role with Instance TRANSACTIONAL and double-click it.

NoteThere is a role for each front-end application. Select the front-end application that corresponds to the back end for which you want to define the RFC connection. Example: You want to establish an RFC connection that enables users to run the transaction Display Purchase Order in the SAP SRM back-end system. In this case, you need to select the role corresponding to the SAP SRM front-end application.

3. In the left-hand screen area, select a row where Transaction is displayed as the Application Description. The system alias is displayed in the right-hand screen area.

2. Create an RFC connection of type H (HTTP connection) in transaction Configuration of RFC Connections (sm59).

Use the system alias identified under 1. as the RFC Destination.3. Enter the Target Host under Technical Settings in transaction Configuration of RFC Connections (sm59).

4.4 User Assistance Settings

The following sections describe how to enable context-sensitive user assistance for SAP S/4HANA.

4.4.1 Enable Context-Sensitive User Assistance for SAP Fiori Launchpad

To make context-sensitive user assistance available in the SAP Fiori launchpad, you need to do the settings described in the following sections:

● Configure the SAP Web Dispatcher [page 61]● Set Up the User Assistance Plugin [page 63]

4.4.1.1 Configure the SAP Web Dispatcher

Use

If you want to make context-sensitive user assistance available in the SAP Fiori launchpad, you must configure SAP Web Dispatcher.


Prerequisites

You have installed SAP Web Dispatcher 7.5 as the reverse proxy. For more information, go to http://help.sap.com/s4hana_op_1809, enter Operating SAP Web Dispatcher into the search bar, press Enter , open the search result with that title and navigate to the section Installing SAP Web Dispatcher.

Activities

1. Adjust the SAP Web Dispatcher profile file.In the sapwebdisp_pf.txt file, add the following parameters:○ For the User Assistance Content Platform

wdisp/system_<number> = SID=<SID1>, EXTSRV=https://cp.hana.ondemand.com:443, SRCURL=/sap/dfa/help/, SRCSRV=*:*, PROXY=<your proxy>:<your proxy port>, STANDARD_COOKIE_FILTER=OFF

○ For the script server in your production systemwdisp/system_<number> = SID=<SID2>, EXTSRV=https://xray.hana.ondemand.com:443, SRCURL=/resources/sap/dfa/help/, SRCSRV=*:*, PROXY=<your proxy>:<your proxy port>, STANDARD_COOKIE_FILTER=OFF

Note○ Make sure that the numbers following wdisp/system_ are smaller than the numbers that you use

for all your application server. The rules for the context-sensitive user assistance need to come before the rules for the application servers.

○ Make sure that the SIDs are not the same as your system IDs.

2. Activate the usage of the modification handler:icm/HTTP/mod_0 = PREFIX=/, FILE=$(DIR_PROFILE)/redirect.txtFor more information, go to http://help.sap.com/s4hana_op_1809, enter SAP Web Dispatcher Parameter References into the search bar, press Enter , open the search result with that title and navigate to the section icm/HTTP/mod_<xx>.

3. Adjust the SAP Web Dispatcher redirect file.In the redirect.txt file, add the following parameters:

# User Assistance Content Platform - rewrite rule if %{SID} = <SID1> begin SetHeader HOST cp.hana.ondemand.com:443 RegRewriteRawUrl ^/sap/dfa/help/(.*) /dps/$1 end # Script Server - rewrite rule if %{SID} = <SID2> begin SetHeader HOST xray.hana.ondemand.com:443 RegRewriteRawUrl ^/resources/sap/dfa/help/(.*) /xRayControls/resources/sap/dfa/help/$1 end

NoteMake sure that the SIDs in the redirect.txt file are the same as in the sapwebdisp_cf.txt file.





4. You can check if the content platform is working properly through the proxy connection by accessing: https://<your server>:<your port>/sap/dfa/help/odata.svc/?$format=json

ExampleIf the content platform is connected correctly, you can see on your screen the following output, for example:

{"d":{"EntitySets":["Transport","DeliverableForReplication","Tile","Project","Deliverable","TransportHistory","TourIssue","ReplicationTourIssue","Hotspot","Product","Context"]}}

5. You can check if the help script server is working properly through the proxy connection by accessing: https://<yourserver>:<yourport>/resources/sap/dfa/help/sap/cfg/XrayBootstrapHelpConfig.json

ExampleIf the help script server is connected correctly, you can see on your screen the following output, for example:

{ "description":"This configuration registers the Xray bootstrap plug-in", "modulePaths":{ "sap.dfa.help":"/resources/sap/dfa/help/~201509221536~" }, "bootstrapPlugins":{ "BootstrapXrayPlugin":{ "module":"sap.dfa.help.utils.adapters.fiori.BootstrapXrayHelpPlugin" } } }

Result

You can access SAP Fiori launchpad with context-sensitive user assistance.

4.4.1.2 Set Up the User Assistance Plugin

To make context-sensitive user assistance available in the SAP Fiori Launchpad, you set up the user assistance plugin in the following way:

1. You create a catalog.For more information about creating catalogs, go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , and open the search result with that title.

2. You create a role that references the catalog.



For more information about creating roles for tile catalogs, go to http://help.sap.com/s4hana_op_1809, enter Initial Setup of the Launchpad into the search bar, press Enter , and open the search result with that title.

3. You assign the role to every user that needs to access the context-sensitive user assistance.4. In the catalog, you create a target mapping with the following values:

Field Label Value

Semantic Object Shell

Action plugin

Application Type SAPUI5 Fiori App

Title User Assistance Plugin

URL /resources/sap/dfa/help/utils/adapters/fiori

This requires that the SAP Web Dispatcher is set up accordingly so that this URL is routed to the script server.

Component sap.dfa.help.utils.adapters.fiori

Information User Assistance Plugin, relevant for all app users

Device Types Select your required devices:

○ Desktop○ Tablet○ Phone

Parameters Enter the following parameters in the table:

○ Name: product; Default Value: SAP_S4HANA_ON-PREMISE○ Name: version; Default Value: 1809.000○ Name: editor; Default Value: false

Optional parameters

○ Name: buttonLocation; Default Value: headYou can decide where the user assistance button should appear by entering one of the following values:head: The user assistance button appears in the SAP Fiori header in the top right corner.me: The user assistance button appears in the Me Area.

○ Name: showWhatsNew ; Default Value: falseYou can decide whether "What's New" information should be displayed on app level, if available. (No: false / Yes: true).

After you have made these setting, the user assistance icon is available for the SAP Fiori Launchpad.



4.4.2 Enable User Assistance for the Back-End System

Enable Context-Sensitive User Assistance

You need to do these settings in the back-end system which you use to create your system configuration setting. After you have done the settings, you save them, create a transport for them and transport them to your productive system(s).

Proceed as follows:

1. Open transaction sr13.2. Select the tab PlainHtmlHttp.3. Choose New Entries.

You have to create new entries for both documentation and XML documentation areas. To create entries for the documentation area, enter the following values:

Name Value to be entered

Variant Enter a name for the variant (any name).

Platform Select the platform relevant for your implementation, for example, WN32.

Area Select Documentation.

This will display as IWBHELP in the table.

Server Names https://cp.hana.ondemand.com

Path dps/d/ahp/1809.000

Language Select the language you need.

To create entries for the XML documentation area, enter the following values:


Variant Enter a name for the variant (any name).

Platform Select the platform relevant for your implementation, for example, WN32.

Area Select XML Documentation.

This will display as XML_DOCU in the table.

Server Names https://cp.hana.ondemand.com

Path dps/d/ahp/1809.000



Language Select the language you need.

4. Repeat step 3 for each relevant platform and language.5. Select one entry as default per platform.6. Save your changes and create a transport.

Enable Product-Specific User Assistance

After you have done the settings in transaction sr13 described above, you need to enable the product-specific User Assistance with the program rsiwbh04 in transaction se38:

1. Open transaction se38.2. Enter the program name rsiwbh04 in the Program field and open the program.3. Under Product-Specific SAP Library enter the ID 2c0e7c571fbeb576e10000000a4450e5 in the

Structure/DITA Map ID field.○ Class must be XDP_STRUCT.○ The radio button Change must be selected.

4. Run the program.

4.5 SAP CoPilot

SAP CoPilot enables a humanized user experience for your SAP applications and is an optional addition to your SAP S/4HANA system. It is a digital assistant that allows you to accomplish tasks without having to navigate away from the context of your screen. You can add and create objects and notes on-the-go through conversation in the app. You can use SAP CoPilot on your phone, desktop, or through an external channel.

To use SAP CoPilot skills and the digital assistant capabilities for SAP S/4HANA, a separate purchase may be required.

For more information about SAP CoPilot, see https://help.sap.com/viewer/p/SAP_COPILOT.

4.6 SAP Fiori Search

Use

SAP Fiori search enables users to search for business objects across the SAP S/4HANA system and to search for apps in the SAP Fiori Launchpad.


https://help.sap.com/viewer/p/SAP_COPILOT

It uses the SAP Enterprise Search on HANA. With SAP HANA as a basis, the search directly accesses transactional database tables.

SAP HANA-enabled search models are available for important business objects. They have a simple, table-based structure, which enables a high performance in the determination of search results.

You can call up object pages from the results of the SAP Fiori search to display details about the objects found and to navigate to their related object, to transactional apps. You can also access back-end transactions through object pages (from desktop devices only).

More Information


4.6.1 Setup of SAP Fiori Search

Use

You can use the SAP Fiori Search to find apps and central business objects. To enable the SAP Fiori search in the SAP Fiori launchpad, perform the steps described below. The search for business objects is enabled through corresponding search models.

SAP Fiori Search and Object Pages

The object page app does not require search models to work. However, if you want to start the app from search, you must activate the underlying search connectors.

NoteThe setup of SAP Fiori search is a prerequisite for the use of object pages.

SAP Fiori object pages for business objects provide information on top of what is displayed in the search results. Furthermore, they enable you to navigate to object pages of related business objects and to transactional apps, or to access back-end transactions, and you can drill down into a business object's details.



The following task lists apply for this step:

● SAP_ESH_INITIAL_SETUP_WRK_CLIENT



Activities

Setup of SAP Fiori Search in the Front End

You must have set up the communication between SAP Web Dispatcher and the ABAP servers. For more information, see:

● ABAP Servers: Setup of Communication● SAP Web Dispatcher: Setup of Communication

Setup of SAP Fiori Search in the Back End

You must have set up the Enterprise Search technology. The setup process consists of the following main steps:

1. Implement SAP NotesImplement the SAP Notes listed in the Release Information for SAP Enterprise Search in SAP Fiori, see SAP Note 2228932 .

2. Set secondary database connection for search to SAP HANA databaseMake this setting in Customizing for your back-end system under Cross-Application ComponentsGeneral Application Functions HANA-Based Search for SAP Business Suite Configure Indexing Set TREX/BWA Destination or SAP HANA DB Connection .Alternatively, you can use report ESH_ADM_SET_TREX_DESTINATION to set the database connection.Prerequisites:○ You have created a second database connection in transaction DBCO.○ A database user not equal to SAP<SID> is available. Database users must have the following

authorizations:○ Object authorizations TREXVIADBSL and TREXVIADBSLWITHPARAMETERS○ Scheme authorization SELECT for the _SYS_REPO scheme.○ Scheme authorizations SELECT, ALTER, and INDEX for the SAP<SID> scheme.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Creating a Connection Between Enterprise Search and SAP HANA into the search bar, press Enter , and open the search result with that title.

3. Activate connector-based authorization checksTo restrict the search results to the business object instances a user is authorized to see, Enterprise Search supports authorizations based on business object instances. In addition, authorization checks based on search connectors are supported – mainly for performance reasons. For more information, go to http://help.sap.com/s4hana_op_1809, enter Security Guide for Enterprise Search into the search bar, press Enter , open the search result with that title, and navigate to Authorizations.

Activate the connector-based authorization checks in Customizing for your back-end system under Cross-Application Components General Application Functions HANA-Based Search for SAP Business

Suite Search Configuration Set Parameters for Federated Search . Under Model Authorization, select Check from the dropdown menu.

4. Activate UI servicesActivate the following services for the Enterprise Search in transaction Activate Service (SICF) in your back-end system.:

○ default_host sap bc webdynpro sap ESH_ADMIN_UI_COMPONENT

○ default_host sap bc webdynpro sap esh_eng_modeling






○ default_host sap bc webdynpro sap esh_eng_wizard

○ default_host sap bc webdynpro sap esh_search_results_ui

○ default_host sap bc webdynpro sap wdhc_help_center

○ default_host sap es cockpit

○ default_host sap es saplink

○ default_host sap es search

○ default_host sap es ina GetResponse

○ default_host sap es ina GetServerInfo5. Create connectors

Prerequisite: You need the following authorizations:○ SAP_ESH_SEARCH○ SAP_ESH_LOCAL_ADMIN

Create connectors in the Connector Administration Cockpit (transaction ESH_COCKPIT).The connectors required for each object page and the relevant search software components are documented in the implementation documentation for the single object pages.

NoteNote the following system behavior:

○ Search software components build a stack: On top of the basis component, different layers can be installed.

○ Search models can be available in different components: In their original component, but also in higher layer components (extension components).

○ Once you create a search connector in an extension component, all search models from the original component are transferred into the extension component. You will therefore no longer find the search models in the original component.

For more information about connector creation, go to http://help.sap.com/s4hana_op_1809, enter Creating Connectors into the search bar, press Enter , and open the search result with that title.

NoteWhen search models are transported, for example in the event of a system upgrade, manual steps can be required. For more information, go to http://help.sap.com/s4hana_op_1809, enter Transporting Search Models into the search bar, press Enter , and open the search result with that title.

6. Start indexing of ConnectorsFor more information, go to http://help.sap.com/s4hana_op_1809, enter Starting Indexing of Connectors into the search bar, press Enter , and open the search result with that title.

More Information

Enable SAP Fiori Search for Multiple Systems [page 70]





4.6.2 Enable SAP Fiori Search for Multiple Systems

Use

NoteThis activity is optional.

In the SAP Fiori landscape, you can connect multiple ABAP back-end servers to have the installed systems browsed by SAP Fiori search. Each back-end server must run on an SAP HANA database and must have SAP Fiori search installed and configured.

One back-end server acts as a proxy to which the other back-end servers are connected.

The connected back-end servers act as clients. Their content can be browsed using the SAP Fiori search on the proxy.

Activities

To enable SAP Fiori search for multiple systems, proceed as follows:

1. Set up SAP Fiori search on each of the back-end servers. For more information, see Setup of SAP Fiori Search [page 67].

2. Connect the search systems on the different back-end servers. For more information, go to http://help.sap.com/s4hana_op_1809, enter Optional: Establishing Connection to Back-End Systems into the search bar, press Enter , and open the search result with that title.

4.7 Enable SAP Fiori Apps for Multiple Systems

Use

If you have configured SAP Fiori search to browse the systems installed on multiple back-end servers, you can also configure SAP Fiori apps for multiple back ends. This enables you to call up the SAP Fiori apps of a business object listed in the search results, regardless of the system the business object resides in. While it is possible to search across multiple systems, the data displayed in the SAP Fiori app always comes from one system.

For more information about SAP Fiori search for multiple back ends, see Enable SAP Fiori Search for Multiple Systems.




Activities

Create system aliases in Gateway.

NoteYou require SAP Gateway Foundation 7.50 (software component version SAP Gateway FOUNDATION 7.50).

For more information about how to manage system aliases in a landscape with several back-end systems to retrieve data from, go to http://help.sap.com/s4hana_op_1809, enter System ID in Origin Segment Parameter into the search bar, press Enter , and open the search result with that title.

4.8 Integrating SAP Jam (Optional)

Use

Some SAP Fiori apps contain features based on an integration with SAP Jam. SAP Jam is a collaborative environment that brings together people, information, applications, and processes to solve business-critical problems and drive rapid results.

SAP Jam is part of the ABAP social media integration (SMI), which allows you to integrate the SAP Jam social collaboration platform across SAP technologies such as SAPUI5.

You can configure ABAP SMI to allow the SAP Fiori launchpad and apps to use the ABAP SMI functions developed for SAP Fiori.

More Information

For information about integrating SAP Jam with SAP Fiori and the prerequisites, go to http://help.sap.com/s4hana_op_1809, enter Configuring ABAP SMI for SAP Fiori Apps into the search bar, press Enter , and open the search result with that title.

4.9 Extended Material Number in SAP Fiori Apps

Use

In SAP S/4HANA you can use the extended material number with a maximum length of 40 characters. As a default, the standard material number which allows a maximum length of 18 characters is activated. You can





activate the extended material number in the back-end system. The SAP Fiori apps then automatically display the extended material number.

Activities

If you want to use the extended material number, you have to make the following settings:

1. Activate the extended material number in the IMG under Cross-Application Components General Application Functions Field length Extension Activate extended fieldsThe standard setting is that the checkbox is not selected: The system uses the short version of the material number field, for example MATNR, for all external communication.

2. Define the material number field length in the IMG under Logistics General Material Master Basic Settings Define Output Format of Material Number

4.10 Running Apps in Standalone Mode

Use

Several SAP Fiori apps support standalone mode. If you implement this feature, users can directly access an app without the SAP Fiori launchpad being visible to them either by calling a URL or by launching the app in the SAP Enterprise Portal content area.

You typically use one of these options to give users direct access to selected apps that do not require contextual navigation.

More Information

Go to http://help.sap.com/s4hana_op_1809, enter Running Standalone Applications into the search bar, press Enter , and open the search result with that title.

4.11 Setup of SAPUI5 Application Index

Use

The SAPUI5 application index provides an indexing and caching mechanism for information related to SAPUI5 applications, components, and libraries that are contained in SAPUI5 repositories on the Application Server ABAP.



Activities

The SAPUI5 application index is used by several different services (such as SAP Fiori launchpad and cache buster), which means you have to define the execution of its calculation report /UI5/APP_INDEX_CALCULATE as a background job (transaction SM36).

More Information

For more information, go to http://help.sap.com/s4hana_op_1809, enter SAPUI5 Application Index into the search bar, press Enter , and open the search result with that title.



5 App Implementation

Use

This section contains the background information and the tasks that you need to perform to implement apps into the system landscape that you have set up and configured. The implementation tasks slightly differ according to the type of app that you want to use.

Prerequisites

● You have installed and configured the system landscape.For more information about the system landscape, see Setup of SAP Fiori System Landscape.

● You have done the initial configuration of Gateway. For more information, go to http://help.sap.com/s4hana_op_1809, enter SAP Gateway Foundation Configuration Guide into the search bar, press Enter , open the search result with that title and navigate to the section General Configuration Settings.

● You have set up the SAP Fiori infrastructure. For more information, see Configuration of SAP Fiori Infrastructure [page 59].

Process

NoteFor the following implementation tasks, you need information from the app-specific implementation documentation, such as technical names of services, roles, and so on. Access this documentation at http://help.sap.com/s4hana_op_1809 Product Assistance . Under each area, you can find the respective apps and app-specific implementation information.

You can also find technical information about the apps in the SAP Fiori apps reference library at http://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/.

Some important technical information is not included in the SAP Fiori apps reference library. These settings are explained in Additional Implementation Activities for All Finance Apps. We highly recommend that you also read this document when you implement apps outside of Finance. Some of the settings are also relevant for other application areas, in particular, the activation of the Central Simple Finance Fiori Reuse Library. To view the document, go to http://help.sap.com/s4hana_op_1809, enter Additional Implementation Activities for All Finance Apps into the search bar, press Enter and open the search result with that title.

1. Make yourself familiar with the user management and authorization concepts for the SAP Fiori launchpad.2. You enable the apps to retrieve data from the back-end server.

○ For SAP Fiori apps, you need to activate OData services and ICF Services on the front-end server.


App Implementation




http://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/

http://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/


○ For Web Dynpro apps, you need to create RFC connections to the backend on the front-end server. On the back-end server, you need to activate ICF services of Web Dynpro Apps and activate ICF services for transactions displayed in SAP GUI for HTML [page 102].

3. You need to set up users on the front-end server and back-end server.4. You need to define what apps your users are allowed to access from the SAP Fiori launchpad on the front-

end server. To do so, you do the following:1. You create catalogs and groups [page 91] to which you add apps.2. You create PFCG roles, add catalogs to these roles, and determine the authorization defaults for the

apps.3. You assign the roles to your users.

5. On the back-end server, users need the start authorizations for the Odata service or the application and the business authorizations for accessing business data displayed in the app. You therefore need to create PFCG roles on the back-end server and assign them to your users.

NoteYou can also perform several app implementation tasks automatically. See the task descriptions and Activate OData Services for Several SAP Fiori Apps [page 84].

● Activate OData Services for Several SAP Fiori Apps

5.1 User Management and Authorization

SAP Fiori apps adopt the user management and authorization concepts provided by AS ABAP. Therefore, the security recommendations and guidelines for user and role administration and authorization as described in the Application Server ABAP Security Guide also apply to the SAP Fiori apps.

For more information, go to http://help.sap.com/s4hana_op_1809, enter ABAP Platform Security Guide into the search bar, press Enter , and open the search result with that title.

This section contains information about user and role administration and the authorization concept that specifically applies to SAP Fiori apps.

5.1.1 UI Content and Authorization Concept

SAP Fiori launchpad is the access point to apps on mobile or desktop devices. To use SAP Fiori apps, users need the following types of entities:

● UI: The SAP Fiori UI entities that define which SAP Fiori apps are displayed to the user. The apps are organized through catalogs and groups.

● Authorizations: The authorizations that are required to use Fiori launchpad, to start SAP Fiori apps, and to use the business logic and data of the SAP Fiori apps.

SAP Fiori UI entities and authorizations are assigned to users by means of PFCG roles. This section presents the app-specific SAP Fiori UI entities and authorizations. For general authorizations that are required for using the SAP Fiori launchpad, see General Authorizations Required for SAP Fiori [page 80].

UI Technology Guide for SAP S/4HANA 1809App Implementation P U B L I C 75


Dependencies between SAP Fiori UI Entities, OData Services, and Authorizations

The following figure shows the dependencies between the entities:

● The SAP Fiori UI entities that define which SAP Fiori apps are displayed to the user.● The OData services that retrieve the dynamic data to be displayed from the business logic for the SAP Fiori

apps.● The authorizations required to start and to use the business logic of the SAP Fiori apps. These

authorizations are defined by the OData services.

Dependencies Between UI Entities and Authorizations for SAP Fiori Apps

NoteFor apps using Web Dynpro or SAP GUI for HTML technology, the picture looks slightly different. These apps do not use app-specific OData services. Instead, the access to the back-end server requires an HTTP connection. Authorizations are defined by the application itself.


App Implementation

Overview of PFCG integration of SAP Fiori tile catalogs for different UI technologies used in SAP Fiori

UI Entities

The apps that are displayed to the users are organized using the following SAP Fiori UI entities:

● CatalogsA catalog is a set of apps that you want to make available and authorize for your users. The users can browse through the catalog, choose apps from the catalog, and add them to the entry page of their SAP Fiori launchpad.Technically, apps are represented by the following:○ KPI tiles to launch analytical apps○ App launcher tiles to launch all other types of apps

NoteOnly the apps that can be accessed directly from the entry page of the SAP Fiori launchpad have an app launcher tile. Object pages, for example, do not have any app launchers. They are started by navigating from other applications or by using the search.

○ Target mappings referencing the actual navigation targets

NoteFor launching apps either using a tile or using navigation, users require a target mapping. We recommend that you add the tiles and corresponding target mappings to the same catalog.

● GroupsGroups define the SAP Fiori launchpad entry page. The apps in the group are a subset of apps that are assigned to one or several catalogs. Which tiles are displayed on a user’s entry page depends on the catalogs and groups assigned to the user’s roles. If a group contains apps that are not assigned to the user by catalogs, the app is not displayed on the user’s entry page. In addition, if configured, the user can personalize the entry page by adding or removing apps to pre-delivered groups or self-defined group.


You maintain catalogs and groups in the launchpad designer. SAP delivers technical catalogs which contain apps per application area. In addition, SAP delivers business catalogs and business groups as sample collection of apps relevant for a business role.

As an administrator, you can use the technical catalogs as repository to create your own role-specific business catalogs and groups. For more information, see Maintain Business Catalogs and Business Groups.

PFCG Roles

You use PFCG roles to assign the UI entities and authorizations to the users:

● PFCG roles on front-end serverBy adding the catalogs to the role menu, you include the apps in the catalog that is available to the users. By adding groups, you define the SAP Fiori launchpad entry page. To start the apps, users require the start authorizations for the model provider of the activated OData services (IWSG). To get these start authorizations, you need to add the OData services to the PFCG role menu. For the OData services the SAP Fiori app use, see the SAP Fiori app implementation documentation in the SAP Fiori apps reference library. When you add a catalog to the role menu, the system will determine the OData services used in a catalog and automatically include the start authorizations.For more information, see:○ Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups [page 98]○ Go to http://help.sap.com/s4hana_op_1809, enter Configuring Roles with Launchpad Start

Authorizations into the search bar, press Enter , and open the search result with that title.● PFCG roles on the back-end server

On the back-end server, the OData services that the SAP Fiori apps use are implemented. Therefore, the users need to have start authorization for the OData service’s data provider (IWSV), and all the business authorizations for accessing business data displayed in the app.For object pages, the authorization defaults also include the authorizations for the Enterprise Search connectors. For Web Dynpro or SAP GUI for HTML apps, users need authorizations for the Web Dynpro applications and transactions. The OData services, Web Dynpro applications and transactions carry the authorization defaults for the business authorizations as proposed by SAP.To get the authorizations, you add the OData services, Web Dynpro applications and transactions for SAPGUI for HTML apps to the PFCG role menu. This adds the start authorizations and the authorization defaults for the business authorizations of the applications to the role. We recommend adding the catalog to the role menu to automatically determine the OData services, Web Dynpro applications and transactions included in the catalog. With that, you can organize the update of authorizations when the catalog changes. In the graphic above, the red arrow pointing from the menu of the PFCG role on the back-end to the catalog on the front-end depicts this recommendation.For more information, see:○ Create PFCG Role on Back-End [page 106]○ Go to http://help.sap.com/s4hana_op_1809, enter Configuring Roles for Tile Catalogs and Groups into

the search bar, press Enter , and open the search result with that title.● Business Roles

Business roles in SAP S/4HANA represent the central object used to structure users’ access on the frontend server.SAP delivers business role templates that follow the naming convention SAP_BR*. The business role templates delivered are designed to cover typical activities of business users with a certain job profile. So, for example, the business role template SAP_BR_AR_ACCOUNTANT delivered is designed for accounts receivable accountants.Each role contains business catalogs that cover the typical tasks of a user. So, for example, the SAP_BR_AR_ACCOUNTANT role covers the typical tasks of an accounts receivable accountant.


App Implementation




Each business catalog contains one or more applications and is designed to support segregation of duties.Country-specific requirements are covered by separate business roles that complement the respective base role. Their technical name consists of the technical name of the base role enhanced by the ISO code of the country the role covers, for example, SAP_BR_AR_ACCOUNTANT_CN as a role including business catalogs for accounts receivable accountants in China.

Sequence When Starting an SAP Fiori App

● When the user starts the SAP Fiori launchpad, the launchpad displays the app tiles that are assigned to users via catalogs and organized in groups.A launchpad-specific OData service resolves the catalogs and groups a user is assigned to: This service resolves the user’s catalog and group assignments. It uses the PFCG roles which the user belongs to on the front-end server by collecting the corresponding catalog and group entries in the PFCG role menu.

● To start an SAP Fiori app, the user chooses a tile. The tile resolves the technical SAP Fiori app implementation to be started using a target mapping.

● The tiles and target mappings of a catalog or group, which then determine the technical SAP Fiori app implementation, are maintained in the SAP Fiori launchpad designer.

● When a user’s browser loads an SAP Fiori app, the app retrieves its dynamic data from the HTTP endpoint of the app-specific OData service on the front-end server. Gateway translates the HTTP request to a trusted RFC call to the Gateway enablement of the back-end server, which then retrieves the data by calling the relevant business logic.

● The user requires authorizations for the app-specific OData service, that is, the start authorizations for the service on the front-end server and in the back-end system and the business authorizations required by the business logic.

5.1.2 Recommendations for Organizing SAP Fiori UI Entities and Authorizations

Users can start all SAP Fiori apps assigned to them from catalogs. Therefore, we recommend organizing SAP Fiori UI entities and authorizations for the catalogs.

● Define the catalogs as the smallest entities that are assigned and authorized for your users.● Derive groups from or across catalogs where required. Groups define the initial UI content on the SAP Fiori

launchpad. The users can then personalize the SAP Fiori launchpad by displaying and hiding apps.● In the PFCG roles on the front-end server and on the back-end server, keep the catalogs and the

authorizations required by the apps included in the catalog together in the same roles.● With the help of the PFCG integration of SAP Fiori tile catalogs, you can you can determine the

authorizations required for the apps in the catalog on the front-end and on the back-end server in the Role Maintenance (PFCG). For more information, go to http://help.sap.com/s4hana_op_1809, enter Assign Tile Catalogs to Roles into the search bar, press Enter , and open the search result with that title.○ On the front-end server, make sure to choose the Include Applications checkbox when adding a catalog

to your PFCG roles. The start authorizations for the catalog are then included in the role menu as subnodes below the catalog entry.

○ On the back-end system, also add the catalog to your existing or new PFCG role and make sure to choose the Include Applications checkbox. The authorization defaults for the catalog for the OData



service data providers, Web Dynpro applications, and transactions for apps using SAP GUI for HTML technology, are included in the role menu as subnodes below the catalog entry. In addition, the authorization defaults delivered by SAP for these services and applications are added to the role.

NoteIt is now possible to transfer the role menu of a SAP Fiori front-end business role (PFCG) to the role menu of an existing or new back-end role (see SAP Note 2533007 ).

● When a catalog is changed in the launchpad designer, for example, an app is added or removed, you must update authorizations in the PFCG roles which include this catalog. If you have add the catalogs with the determination of authorizations as described above (checkbox Include Applications chosen), you can determine the roles that must be adapted by using the PRGN_COMPARE_ROLE_MENU report.In Role Maintenance (PFCG), you then compare and update the roles to reflect the authorization changes as given in the current definition of the catalog.However, the comparison (both using the report or comparing in PFCG) does not include applications or services that you added manually to the role menu. For more information, go to http://help.sap.com/s4hana_op_1809, enter Update Authorization Defaults for Tile Catalogs into the search bar, press Enter , and open the search result with that title.

● If a catalog contains apps that address several back-end servers , you need to create a PFCG role per back-end server. Consider splitting up the catalog.

● Instead of creating new PFCG roles, you can also extend existing roles that fit to the scope of the catalog. You might want to extend roles already used in the back-end server. If you add the catalog and its applications and services to an existing role, the authorization proposals have to be merged with the authorization values already defined in the role. You can consider using existing roles if the following applies:○ The same users assigned to the role shall get access to all apps in the catalog.○ The business authorizations already defined in the role and those that you define for the apps in the

catalog do not contradict.

5.1.3 General Authorizations Required for SAP Fiori

To run SAP Fiori launchpad and trigger the OData services required for SAP Fiori, users need certain general authorizations in addition to the app-specific authorizations on the front-end and the back-end server.

Front-End Server

Assign the following once on the SAP Fiori front-end server:

● Launchpad authorizationsEnd users need authorizations to run the SAP Fiori launchpad; administrators need additional authorizations to run the SAP Fiori launchpad designer.SAP delivers template roles for launchpad access.For more information, go to http://help.sap.com/s4hana_op_1809, enter Configuring Roles with Launchpad Start Authorizations into the search bar, press Enter , and open the search result with that title.

● General OData authorizations


App Implementation





The authorizations required to use the Gateway runtime.SAP delivers authorization templates for accessing the Gateway runtime.For more information, go to http://help.sap.com/s4hana_op_1809, enter User, Developer, and Administrator Roles into the search bar, press Enter , and open the search result with that title.

● Trusted RFC back-end connectivity authorizationsS_RFC and S_RFCACL authorizations are required for each back-end server to access the back-end server over a trusted RFC connection.

● For analytical apps that are launched by using a KPI tile:End users need authorizations for the OData service /SSB/SMART_BUSINESS_DESIGNTIME_SRV. On the front-end server, the start authorization for the model provider of the activated OData service is required. While the authorization is required only once per user, we recommend to organize it by adding a reference to the target mapping with the action analyzeSBKPIDetailsS4HANA from the technical catalog SAP_TC_CA_SSB_COMMON to your business catalogs which contain analytical apps. By defining the roles for the catalogs as described in Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups, the relevant users will get the authorization.For modeling KPIs, users need to be assigned to the SAP Smart Business modeler apps. The business role SAP_BR_ANALYTICS_SPECIALIST contains the catalog and group provided by SAP. To run these apps, users need the authorizations for the OData service /SSB/SMART_BUSINESS_DESIGNTIME_SRV. We recommend that you define a role using the SAP delivered catalog and group as described in Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups.

● For analytical apps that are built using Analysis Path Framework (APF):○ End users and key users:

End users and key users need authorizations for all OData services used in the configuration, including those used for the step configuration, the filter resolution, the value help request, and so on, and for the service for path persistence BSANLY_APF_RUNTIME_SRV.

○ End users:For access to the layered repository of the SAPUI5 flexibility services, assign the authorization object /UIF/LREP to the end user’s PFCG role and select APFUSER as value for field /UIF/ROLE.

○ Key users:For using the APF Configuration Modeler design time app, users need to be assigned the business role SAP_BR_ANALYTICS_SPECIALIST. For access to the layered repository of the SAPUI5 flexibility services, assign the authorization object /UIF/LREP to the key user’s PFCG role and select APFADMIN as value for field /UIF/ROLE.

Back-End Server

Assign the following once for each back-end server:

● Back-end connectivity authorizationsThe S_RFC and S_RFCACL authorizations are required to access the trusted RFC on each back-end server.For more information, see Assign RFC Authorization to User.

● For analytical apps that are launched by using a KPI tile:End users need the authorizations for the OData service SMART_BUSINESS_RUNTIME_SRV. Users who model KPIs in addition need the authorization for the OData service SMART_BUSINESS_DESIGNTIME_SRV. We recommend that you define the roles corresponding to those on the front-end server as described in Create PFCG Role on Back-End.



● For analytical apps that are built using Analysis Path Framework (APF):○ End users and key users:

End users and key users need authorizations for all OData services used in the configuration, including those used for the step configuration, the filter resolution, the value help request, and so on, and for the service for path persistence BSANLY_APF_RUNTIME_SRV.

● For transactional apps:For more information about authorizations and roles for transactional apps, go to http://help.sap.com, enter Authorizations and Roles for Transactional Apps into the search bar, press Enter , and open the search result with that title.

5.1.4 Users in ABAP Front-End System

Use

The ABAP front-end server contains the central and app-specific SAP Fiori UI components including SAP Fiori launchpad and Gateway. To launch SAP Fiori apps using SAP Fiori launchpad, users are required on the front-end server.

NoteUsers must have the same user names and passwords on the ABAP front-end server and the ABAP back-end server. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems.

To access SAP Fiori apps, users on the front-end server require UI content and authorizations. The corresponding PFCG roles need to be assigned to the user.

More Information

For information about the required UI content and authorizations for users on the front-end server, see UI Content and Authorization Concept.

5.1.5 Users in ABAP Back-End System

Use

The ABAP back-end system implements the business logic and provides the data for the SAP Fiori apps, Web Dynpro applications and transactions. For apps launched by users from the SAP Fiori Launchpad on the front-end server, users with the same user names are required on the ABAP back-end system. You can use your existing users in the ABAP back-end system as long as these users have the same user names in all ABAP back-end systems which implement apps you want to make available in SAP Fiori Launchpad.


App Implementation

http://help.sap.com

Users in the ABAP back-end system require PFCG roles with certain general authorizations as well as authorizations for OData services, WebDynpro applications, and transactions.

More Information

For information about the required authorizations for users on the back-end system, see UI Content and Authorization Concept.

5.2 Implementation Tasks on Front-End Server

This section contains the tasks you perform on the front-end server to implement SAP Fiori apps.

5.2.1 SAP Fiori Apps

5.2.1.1 Activate OData Services

Use

There are several ways to activate the relevant OData services:

● You can activate the OData services for each app individually, as given below.● You can activate OData services for several apps at once, by using a task list. For more information, see

Activate OData Services for Several SAP Fiori Apps.

Procedure

1. Run transaction Activate and maintain services (/IWFND/MAINT_SERVICE) on the front-end server.2. Choose Add Service.3. Enter the system alias of your back-end system.4. In the External Service Name field, enter the technical name of the OData service for your app without the

version number.For more information on the OData service per app, see the app-specific documentation.

5. In the Version field, enter the version number.6. Choose Get Services.


7. Choose Add Selected Services.8. Enter a technical name for the service in your customer namespace.9. Assign a package or choose Local Object.10. Choose Execute to save the service.11. On the Activate and maintain services screen, check if the system alias is maintained correctly. If not,

delete the alias and add the correct one.12. Call the OData service once.

Determining the OData service names for your apps

● For apps delivered by SAP, see the SAP Fiori App Reference Library and the app-specific documentation.● For analytical apps launched using a KPI tile that your company created, ask the responsible developer.● If you want to determine the OData service name by yourself:

○ In the SAP Smart Business KPI Modeler apps, use the KPI Workspace app to look for the relevant KPI. The names of the KPI tile and the KPI name might differ slightly.

○ In the KPI, look for the evaluation. The evaluation contains the URL of the OData service, such as /sap/opu/…<service>.

5.2.1.1.1 Activate OData Services for Several SAP Fiori Apps

Use

Instead of manually activating OData services individually for each app, you can activate the OData services for several apps at once, by using a task list.

Prerequisites

● If you want to download OData services from SAP Fiori apps reference library: SAP Fiori apps reference library is available.

● Task lists for configuring SAP Fiori Apps are available


For an overview of all task lists and tasks for SAP Fiori,

go to http://help.sap.com/s4hana_op_1809, enter Configuration Using Task Lists into the search bar, press Enter , and open the search result with that title.

The following task list applies to this step:



App Implementation


Activities

1. Collect the names and version numbers of the OData services you want to activate.You can download this information from the SAP Fiori apps reference library or paste it from the app-specific implementation information.

2. Start task list SAP_GATEWAY_ACTIVATE_ODATA_SERV.3. In the Define OData Services for Activation task, enter the OData services you want to activate:

1. Enter the external service name or the technical service name.2. To use a version other than 1: Behind the service name, enter a blank and then the version number.

4. In the Select System Alias for Activation task, enter the system alias.5. In the Select OData Services for Activation task, make sure that all services are selected that you want to

activate. You can exclude some services that you do not want to activate.6. Choose Generate Task List Run.

The system creates the OData service, assigns the system alias to the OData service, and activates the related ICF nodes.

More Information

For more information about SAP Fiori apps reference library, see Implementation Planning [page 9].

For more information about working with task lists, see Configuration Using Task Lists [page 21].

5.2.1.2 Activate ICF Services of SAPUI5 Application

Use

In addition to the central services relevant for all SAP Fiori apps, you must also activate the services for the specific apps. This is because, for security reasons, all Internet Communication Framework (ICF) services are made available in an inactive state.

NoteFor security reasons, we recommend that you only activate the services for the apps you want to use.

You can activate the ICF services for each app manually, as given below.

Prerequisites

For each app, you find the technical name of the corresponding ICF service in the App Implementation documentation under Implementation Tasks .


Procedure

To activate an ICF service, proceed as follows:

1. On the front-end server, start transaction Maintain Services (SICF).2. Press F8 .

3. Navigate to default_host sap bc ui5_ui5 sap .4. In this node, navigate to the SAPUI5 application for your app.

5. To activate the service (SAPUI5 application), choose Service/Host Activate .

5.2.2 SAP GUI for HTML transactions, Web Dynpro applications and Design Studio apps

5.2.2.1 Set up RFC Connections to a Back-End System

Use

To consume catalogs containing SAP GUI for HTML transactions, Web Dynpro applications and Design Studio apps from a specific back-end system, it is mandatory to configure the following two types of RFC connections to the back-end system.

● An ABAP connection (type 3) which is used to replicate app descriptors from the back-end server to the front-end server. Applications which use SAP GUI for HTML , Web Dynpro and Design Studio UI technology carry app descriptors which provide information required to access them from the SAP Fiori launchpad.

● An HTTP connection (type H), which is used to start Web Dynpro apps and transactions using SAP GUI for HTML and retrieve the business data.

CautionThe entered URLs must not use the same virtual host as the SAP Fiori Frontend Server! The connection must point to the URL with which the browser can access the backend system. For example, this can be a virtual host configured for this backend system as described in Defining Routing Rules for SAP Web Dispatcher and ABAP Back End [page 34].

To set up the connections, you first need to maintain a mapping table and then create the necessary RFC connections.

Procedure

Map the Connections


App Implementation

The business catalogs shipped by SAP contain system aliases which are used to call an app in a specific system, e.g. S4FIN or S4LO (see Maintain Business Catalogs and Business Groups [page 91]). The list of system aliases can be found in the section below. In your system landscape several system aliases may point to one and the same physical source system. To reduce administrative effort, SAP recommends to create entries in table /UI2/SYSALIASMAP. This table is used to map SAP system aliases to logical system aliases, which stand for the physical back-end systems connected to the front-end system. The logical system is resolved to a concrete RFC or HTTP connection by adding the suffix _RFC or _HTTP. If your Fiori launchpad is run in HTTPS mode, the connection needs the suffix _HTTPS. The table has the following structure:

Field Name Key Description

MANDT Yes Client

SYSALIAS_SRC Yes Source System Alias

SYSALIAS_TGT Target System Alias

To maintain the table, call up transaction SM30 and open the maintenance view /UI2/V_ALIASMAP.

The data model of the federation design uses the database for system connections in the ABAP standard, SM59. The mapping table is used during the following actions:

● Extraction of apps from a back-end systemIn this case, the type 3 (RFC) connection is used.

● Link resolution in the SAP Fiori launchpad runtimeIn this case, the type H (_HTTP or _HTTPS) connection is used.

Create RFC Connections

1. In the front-end system, choose Tools Administration Administration Network RFC Destinations or start transaction SM59.

2. Create an RFC connection of the type ABAP Connection and one of the type H - HTTP connection to ABAP System.Use the following naming conventions:○ ABAP connection: <Logical System Alias>_RFC○ HTTP connection: <Logical System Alias>_HTTP or <Logical System Alias>_HTTPS

RecommendationWe recommend to use a HTTPS connection.

System AliasesMake sure to create the ABAP connection with the radio button Trusted Relationship set to Yes and the mark Current User set to true.

Name (System Alias) Application Area ACH

NW SAP NetWeaver BC

S4CA Cross Applications CA



S4CMD Common Master Data AP-MD

S4CPA Commercial Project Management CA-CPD

S4EAM Enterprise Asset Management PM

S4ECCSE Localization FI-LOC

S4EHS Environment, Health and Safety EHS

S4FIN Financials FI

S4FICA Financials Contract Accounts FI-CA

S4FICAX IS Extension Financials Contract Accounts

FI-CAX

S4LO Logistics LO

S4MDG Master Data Governance CA-MDG

S4PLM Product Lifecycle Management PLM

S4PP Production Planning PP

S4PPM Portfolio and Project Management PPM

S4PRC Procurement MM-PUR

S4PS Project Services PS

S4PSS Product Safety & Stewardship ESH

S4QM Quality Management QM

S4SCM Supply Chain Management SCM

S4SD Sales and Distribution SD

S4SLL Global Trade Services / Logistics Services

SLL

S4TRV Travel FI-TV

NoteThe aliases for SAP S/4HANA Industries and SAP S/4HANA Add-Ons are only required if you want to use apps from those areas.


App Implementation

SAP S/4HANA Industries


S4FSCM Insurance FS-CM

S4ISA IS Automotive IS-A

S4ISAD IS Aerospace & Defence IS-AD

S4ISEC IS Engineering and Construction IS-EC

S4ISPSCA IS Public Sector Contract Accounting IS-PS-CA

S4ISU IS Utilities IS-U

S4OIL IS Oil & Gas IS-OIL

S4PSM Public Sector Management EA-PS

S4RFM Retail Fashion Management LO-RFM

3. For each connection, enter the Target Host under Technical Settings and configure the settings under Logon & Security.

RecommendationFor the HTTP connection, we recommend to use HTTPS. Set the SSL option to Active.

NoteIt is not mandatory to maintain an entry in the mapping table for each SAP system alias. If no table entry exists, the RFC connection resulting from a SAP system alias is calculated by adding the suffix _RFC, _HTTP, or _HTTPS to the SAP system alias.

Example

There are two application systems:

● S/4HANA (components FIN and LO)● CAP (component CA)

The connections have to be mapped like this in the table /UI2/SYSALIASMAP using the maintenance view /UI2/V_ALIASMAP:

Client Source System Alias Target System Alias

S4FIN S/4HANA

S4LO S/4HANA

The following SM59 connections have to be created:

● ERP_HTTPS (type H)points to S/4HANA


● ERP_RFC (type 3)points to S/4HANA

● S4CA_HTTPS (type H)points to CAP

● S4CA_RFC (type 3)points to CAP

S4CA does not have to be mapped, because the SM59 connections conform to the naming conventions.

5.2.2.2 Replicate App Descriptors from Back-End System

Use

To enable the access from the SAP Fiori launchpad to applications using Web Dynpro and SAP GUI for HTML technology, you have to replicate information about these applications from the back-end server to the front-end server. Each app has an app descriptor which provides this information.

You have to execute the replication before you enter the SAP Fiori launchpad designer to create your own catalogs. Only after the replication you will see the apps in the Technical Catalogs view.

Procedure

1. Launch the report /UI2/GET_APP_DESCR_REMOTE_ALL.2. Mark the Test mode checkbox and choose Execute. The catalogs will not be replicated. A log is displayed.3. If the log does not contain any errors, deselect the Test mode checkbox and choose Execute.

RecommendationWe recommend to schedule the report to run daily. As the report needs to run after every system update, scheduling the report ensures that you always have up-to-date information in the SAP Fiori launchpad designer.

More Information

For more information, go to http://help.sap.com/s4hana_op_1809, enter Integrating Web Dynpro and SAP GUI Applications Using Mass Maintenance into the search bar, press Enter , and open the search result with that title.


App Implementation


5.2.3 Maintain Business Catalogs and Business Groups

Prerequisites

You have replicated the app descriptors for apps using Web Dynpro or SAP GUI for HTML. For more information, see Replicate App Descriptors [page 90].

Context

The apps that are displayed to users on the SAP Fiori launchpad are organized by using catalogs and groups.

Catalogs are the smallest entities that define the apps you want to assign to your users for selection and authorization.

Groups define the grouping, sort order, and general appearance (tile or link) of apps that are initially displayed on the SAP Fiori launchpad home page for a user.

Procedure

1. Create your own catalogs.

For more information, see Maintain Business Catalogs [page 92].2. Add SAP Fiori apps to your catalog.

For SAP Fiori apps that are visible as tiles in the SAP Fiori launchpad, you add the app launcher tile and a target mapping to the catalog. For SAP Fiori apps not visible as tiles, as for example object pages, you only add the target mapping to the catalog. Object pages correspond to business objects. They are started by navigating from other applications or by using the search. By choosing a business object representation in an app or a search result, users navigate to the corresponding object page.

3. You can also add Web Dynpro apps and transactions using SAP GUI for HTML technology to your catalogs. For more information, see Adding Web Dynpro and SAP GUI for HTML Apps to a Catalog [page 96].

4. Create a group to display specific apps to your users by default on the entry page of the SAP Fiori launchpad.

For more information, see Maintain Business Groups [page 97].5. Add SAP Fiori apps from your catalogs to the group.

6. Assign groups and catalogs to users’ PFCG roles on the front-end server. For more information, see Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups [page 98].


The following diagram shows how the different entities required to set up launchpad content relate to one another:

For more information, go to http://help.sap.com/s4hana_op_1809, enter Setting Up Launchpad Content into the search bar, press Enter , and open the search result with that title.

5.2.3.1 Maintain Business Catalogs

Purpose

Create your own business catalogs to:

● Control which apps are assigned to users● Control which users are authorized to access related apps (for navigation)● Refine the appearance of a tile in the home page, for example to change texts and/or icons● Refine keywords used to find an app, for example when searching for an app in the SAP Fiori Search● Adjust the parameters passed between related apps


App Implementation


Prerequisites

You have replicated the app descriptors for apps using Web Dynpro or SAP GUI for HTML. For more information, see Replicate App Descriptors from Back-End System [page 90].

Context

The apps that are displayed to users on the SAP Fiori launchpad are organized by using catalogs and groups.

Catalogs are the smallest entities that define the apps you want to assign to your users for selection and authorization. A user can use SAP Fiori launchpad features such as App Finder or SAP Fiori Search to find and select any app from any catalog they have been authorized to use. Conversely a security administrator can use catalogs to generate and assign authorizations to a security role that are necessary to access all of the apps in the catalog.

For more information, see UI Content and Authorization Concept [page 75].

Catalogs collect apps regardless of the technology type. For example, a single catalog can contain a mix of SAP Fiori apps, Web Dynpro ABAP applications, and SAP GUI transactions.

Catalogs contain the following sub-entities:

● Tiles – that define the appearance of an app launcher tile in the SAP Fiori launchpad● Target Mappings – that define the app to be launched, including any parameters to be passed

NoteNot all apps require an app launcher tile. A single app may be launched from multiple places, that is it may have more than one source. For example an app may be launched:

● Via an app launcher tile or link on the user’s SAP Fiori launchpad home page● Via a link, button, or card of a related SAP Fiori app● Via SAP Fiori Search or the App Finder● Via a List of Links list based on the Semantic Object

The relationship between source and target is logically defined by a Semantic Object and Action using intent-based navigation.

For more information, go to http://help.sap.com/s4hana_op_1809, enter About Navigation into the search bar, press Enter , and open the search result with that title.

Different targets can be defined for the same source, for example depending on the device type or the business role. For example, if you have a collection of apps that are shared by multiple business roles, for which different parameters need to be passed depending on the business role, you can create:

● a catalog containing a set of shared app launcher tiles● a separate catalog for each business role with the specific target mappings for each business role

The source and target may be defined in different business catalogs. The user is assigned the sum of all sources and all targets of all of the business catalogs for which they are authorized.



NoteYou can use SAP Fiori Launchpad Intent Analysis to check the source to target mappings of a user.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Analyzing Intents for SAP Fiori Launchpad into the search bar, press Enter , and open the search result with that title.

You maintain catalogs and groups in the launchpad designer.

SAP delivers the following entities that help you maintain your own, role-specific business catalogs and groups.

1. Technical catalogs, naming convention <...>_TC_<...>Technical catalogs serve as a repository of all apps delivered by SAP. They contain all target mappings and app launcher tiles relevant for apps per application area. They are intended to be used as a collection of references for creating your own custom business catalogs. Technical catalogs are not intended to be assigned directly to users.

2. Business catalogs, naming convention <...>_BC_<...>business catalogs contain a sample collection of target mappings and app launcher tiles relevant for a business role. The content of the business catalog is a subset of the content of the technical catalog. This subset reflects the requirements of a specific business user. For the business catalogs that contain a specific SAP Fiori app, see the SAP Fiori apps reference library. Business catalogs may be assigned directly to users, or used as a starting point for creating your own business roles.Technically, business catalogs contain references to the tiles and target mappings contained in the technical catalogs. References ensure that any changes to the original tile or target mapping can be changed centrally in the technical catalog and are propagated to the business catalog.

NoteChanging the configuration of a referenced tile or target mapping breaks the reference, and any subsequent changes must then be managed directly in the business catalog.

Procedure

1. Create your own custom catalogs by copying the business catalogs delivered by SAP as templates/samples and adjust them to your needs.For more information, go to http://help.sap.com/s4hana_op_1809, enter Copying Catalogs into the search bar, press Enter , and open the search result with that title.

NoteWe recommend using the business catalogs as the starting point for creating your own custom catalogs, since this will ensure to get a consistent set of SAP Fiori apps that supports app-to-app navigation by including the relevant target mappings. This will not be the case when you select only a set of single apps from the technical catalogs.

Exception: Some apps (mainly SAP GUI for HTML apps) are not contained in any business catalog and are only delivered as part of technical catalogs. In these cases, you need to select a single app (tile/target mapping) from the technical catalog and create a reference to copy it into your custom catalog.

2. Optional: You can adjust the content of the copied catalogs. For details, see Copying Tiles or Target Mappings to Catalogs [page 95].


App Implementation




3. You can also add transactions using SAP GUI for HTML technology and Web Dynpro apps to your catalogs. For more information, see Adding SAP GUI for HTML and Web Dynpro Apps to a Catalog [page 96].

4. Add SAP Fiori apps from your catalogs to the group.For more information, go to http://help.sap.com/s4hana_op_1809, enter Setting Up Content With the Launchpad Designer into the search bar, press Enter , and open the search result with that title.

5. Assign groups and catalogs to users’ PFCG roles on the front-end server. For more information, see Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups [page 98].

5.2.3.1.1 Copying Tiles or Target Mappings to Catalogs

Context

Using the launchpad designer, you can add apps (tiles and target mappings) to your catalogs. You can as well adapt the tiles and target mappings delivered by SAP.

Procedure

1. In the Implementation Guide (IMG) on the front-end server, choose SAP NetWeaver UI TechnologiesSAP Fiori Adding Apps to SAP Fiori Launchpad (Using SAP Fiori Launchpad Designer) SAP Fiori Launchpad Designer (Current Client) or open the following URL in your web browser:

https://<server>:<port>/sap/bc/ui5_ui5/sap/arsrvc_upb_admn/main.html?scope=CUST2. Select the Catalogs view in the top left corner and choose the technical catalog that contains the apps.

The launchpad designer displays the tiles of the apps from this catalog on the right-hand side.3. Choose Tiles.

The launchpad designer displays all tiles in the selected catalog.4. Select the app you want to add to your catalog and click Create Reference.5. Enter the custom catalog to which you want to add the app.6. Choose Target Mapping.

The launchpad designer displays all target mappings in the selected catalog.7. Select the corresponding target mapping and click on Create Reference.8. Enter the custom catalog to which you want to add the app.

The launchpad designer displays the Configure Target Mapping screen.9. Call the catalog you entered before and make sure that the tile and the corresponding target mapping are

included in the catalog.10. If you need to adjust the appearance of a tile, or the parameters or other settings of a target mapping, then

use the Configure option.



CautionSaving a new configuration will break any existing reference to the central definition in the Technical Catalog. Any subsequent changes to the technical catalog will need to be manually adjusted in the business catalog.

You can perform the following adjustments to custom catalogs:

○ You can remove undesired apps from the catalog by deleting the tiles and the matching target mappings

○ You can also add additional SAP Fiori apps to your catalog.For SAP Fiori apps that are visible as tiles in the SAP Fiori Launchpad, you add the app launcher tile and a target mapping to the catalog. For SAP Fiori apps not visible as tiles, as for example object pages, you only add the target mapping to the catalog. Object pages correspond to business objects. They are started by navigating from other applications or by using the search. By choosing a business object representation in an app or a search result, users navigate to the corresponding object page.

○ You can adjust the texts, icons, keywords and other information of a tile.○ You can add, remove or change the parameters of a target mapping.○ You can adjust the device types supported by a target mapping.

NoteAdjusting the supported device types only changes whether the tile and/or target mapping will be included when using the SAP Fiori launchpad on that device. It does not and cannot adjust the responsive behavior of the app. You should only increase the supported device types if the target app has been tested and confirmed to support the relevant device type.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Copying Tiles or Target Mappings into the search bar, press Enter , and open the search result with that title.

5.2.3.1.2 Adding SAP GUI for HTML and Web Dynpro Apps to a Catalog

Context

In principle, all SAP GUI transactions and Web Dynpro applications can be used on the Fiori launchpad. However, they require a corresponding app descriptor as pre-requisite

There are three categories of SAP GUI transactions and Web Dynpro ABAP applications:

1. Applications for which SAP delivers app descriptors and that are included in both technical catalogs and business catalogs delivered by SAP

2. Applications for which SAP delivers app descriptors and that are included in technical catalogs only3. Applications for which SAP does not deliver any descriptors / standard content


App Implementation


These categories have been formed based on the most common usage of the SAP GUI transactions and Web Dynpro applications.

Applications of category 1 can directly be consumed for your launchpad, e.g. by creating a custom business catalog as copy of the SAP delivered business catalogs

To make use of applications in category 2, you need to add the app to your business catalog by creating a reference from the technical catalog of the app (tile/target mapping) to your custom catalog (see description below).

To find out if a certain transaction or Web Dynpro application is directly eligible for usage in the SAP Fiori Launchpad, you can search for it in the SAP Fiori apps reference library.

To do so, choose All apps for SAP S/4HANA All Apps and enter the transaction code into the search field. If an entry is found, it means that the transaction has been assigned an app descriptor and is eligible directly.

Alternatively, you can call transaction MM_APP in the backend system to search for existing app descriptors of transactions.

To integrate applications of category 3 to your SAP Fiori launchpad, you need to perform the following steps:

Procedure

1. Create an app descriptor in the backend and assign them to the technical catalog (using transaction MM_APP)

2. Assign a system aliases to the technical catalog3. Replicate the backend catalog to the frontend4. Create references from your business catalog to the tiles / target mappings in the replicated catalog to

consume the created content

For more information, go to http://help.sap.com/s4hana_op_1809, enter Integrating Web Dynpro and SAP GUI Applications Using Mass Maintenance into the search bar, press Enter , and open the search result with that title.

For more information on the replication, see Replicate App Descriptors from Back-End System [page 90].

5.2.3.2 Maintain Business Groups

Create your own business groups to:

● Define which apps initially appear on a user’s SAP Fiori launchpad home page● Define the grouping and sort order of apps that initially appear on a user’s SAP Fiori launchpad home page● Define whether an app appears as a tile or a link




Context

Business groups define the grouping, sort order, and general appearance (tile or link) of apps that are initially displayed on the SAP Fiori launchpad entry home page for a user. Groups can reference multiple apps from one or more catalogs. Groups do not grant authorizations. If a user is not authorized for an app provided by the group, the unauthorized app will not appear on the user’s home page.

Groups contain the optional sub-entities:

● Tiles – the apps that should appear as tiles on the home page, in the order in which they will appear● Links – the apps that should appear as links on the home page, in the order in which they will appear

NoteOn the SAP Fiori launchpad home page, tiles are displayed before the links that belong to the same group.

You maintain groups in the launchpad designer.

SAP delivers the following entities that help you maintaining your own, role-specific groups:

Business group, naming convention <...>_BCG_<...>

Business groups contain a set of applications from a business catalog that are displayed to a user by default on the entry page of the SAP Fiori launchpad. Users can further personalize groups by adding or removing apps from the SAP Fiori launchpad, provided the group is not locked. For example, you can use a locked business group to ensure certain important apps are always displayed to users, and unlocked business groups that users can rearrange to improve their personal productivity.

5.2.4 Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups

Use

You must perform this task and the following authorization- and role-related tasks on the front-end server to equip the user with the UI access to apps and the start authorizations for the activated OData services used by the apps.

We recommend adding the relevant catalog and the start authorizations for the activated OData services used by the apps in the catalog to the role menu of the same PFCG role. . Thereby, you keep the UI access provided with the catalogs together with the needed start authorizations. The system determines the OData services for a catalog and automatically includes the start authorizations when you add the catalog to the role menu.

Adding single OData service authorizations provides additional security, especially if the front-end server is set up as a separate hub. By specifying the services explicitly in the role menu, you control which requests on behalf of a user can pass Gateway.

As an alternative, it is possible to authorize all activated OData services by specifying a wildcard for the start authorization check on the front-end server (S_SERVICE = * (asterisk)).


App Implementation

CautionIf you use a wildcard, users can call all activated services. We therefore recommend not using wildcard authorizations in productive environments but adding single OData service authorizations.

Prerequisites

You have activated the OData service and have called it at least once before assigning start authorizations. For more information, see Front-End Server: Activate OData Services.

Procedure

1. Open transaction Role Maintenance (PFCG).2. Create a new single role and assign the following in the role menu:

○ Type Catalog○ Catalog Provider Fiori Launchpad Catalogs○ Catalog ID○ Optional (if the users should see the tiles in a group already on the SAP Fiori launchpad start page):

Type Group, Group IDAlternatively, you can copy the template business role delivered by SAP, which already contains the catalog and group, as sample content to your customer namespace.

3. To automatically enter the OData services, if available:○ Select the Local Front-End Server radio button.○ Mark the Include Applications checkbox.

4. To manually enter the OData services, for example, for analytical apps that are launched by using a KPI tile, do the following:1. Add the following in the (new or copied) role menu for each of the OData services:

○ Type Authorization Default○ Authorization Default TADIR Service○ Object Type IWSG – Gateway: Service Groups Metadata

2. Select TADIR Service using value help for the object name with <name of activated service>.3. Enter the name as follows: <technical name>_<four-digit version number with leading

zeros>.For more information about how to determine the OData service name for apps , see Front-End Server: Activate OData Services.

5. Save the role menu, and go to the role authorization, change the authorization data, and adopt the generated authorizations accordingly.

6. Generate the authorization profile and save it.

NoteWhen a catalog is changed in the launchpad designer, for example, an app is added or removed, you must update the start authorizations for the services in the back-end system and the business authorizations for


accessing business data that are displayed in the app. If you added the catalogs to the back-end PFCG roles and included the applications, you can determine the roles that must be adapted by using the PRGN_COMPARE_ROLE_MENU report. You can call this report directly or by calling up transaction PFCG and choosing Utilities Update of Application Groups in Role Menu . In the selection screen of the report, select the option Application Group = SAP Fiori Tile Catalog.

In Role Maintenance (PFCG), you compare and update the roles to reflect the authorizations changes as given in the current definition of the catalog.

However, the comparison (both using the report or comparing in PFCG) does not include applications or services that you added manually to the role menu.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Update Authorization Defaults for Tile Catalogs into the search bar, press Enter , and open the search result with that title.

5.2.5 Assign Roles to Users

Use

You have to assign the roles on the front-end server with the catalogs, groups, and OData start authorizations to users.

Procedure

1. In transaction Role Maintenance (PFCG) on the User tab, assign the role containing the catalogs, groups, and OData start authorizations to a user by specifying the user ID.Thereby, the user has UI access to the apps in the catalogs and the start authorizations for the respective OData services on the front-end server.

5.3 Implementation Tasks on Back-End Server

This section contains the tasks you perform on the back-end server to implement SAP Fiori apps.

NoteUser names in the ABAP back-end server must be identical to the corresponding user names in the ABAP front-end server. User mapping is not supported. For this purpose, you can use Central User Administration (CUA) or identity management systems.


App Implementation


5.3.1 SAP GUI for HTML transactions, Web Dynpro applications and Design Studio apps

5.3.1.1 Activate ICF Services of Web Dynpro Apps

Use

To call a Web Dynpro app, you use a dedicated URL, which accesses your back-end system.

A component called the Internet Communication Framework (ICF) runs on your back-end system. The URL calls a service in the ICF (ICF Service). The ICF service executes one or more ABAP programs to compile the requested data and returns it to the web browser.

Each Web Dynpro app uses its own ICF service. For security reasons, all ICF services initially are inactive and have to be activated first.

NoteWe recommend that you only activate the services for the apps you want to use.

Prerequisites

You have collected the following information from the SAP Fiori apps reference library:

● WebDynpro Component NameThis name specifies the app-specific ICF service.

Procedure

Activate the ICF services of your Web Dynpro app on your back-end server. In the HTTP Service Hierarchy Maintenance transaction, you find the ICF service under the path /default_host/sap/bc/webdynpro/sap/<WebDynpro Component Name>. Alternatively, you can use the WebDynpro Component Name as filter for the Service Name to locate it.

To activate an ICF service, proceed as follows:

1. Choose Tools Administration Network HTTP Service Hierarchy Maintenance or start transaction SICF.

2. You are on the Define Services screen. The system defaults the Hierarchy Type SERVICE.

Choose or press F8 .3. You are on the Maintain service screen, which offers a filter area called Filter Details.


Enter the name of the ICF service you want to activate in the ServiceName field in the Filter Details screen

area and choose .

NoteIf you know the path of the ICF service, you can also navigate to it in the Virtual Hosts / Services screen area.

4. The system filters the service hierarchy in the Virtual Hosts / Services screen area for the path leading to the filtered ICF service. Highlight the ICF service and choose Service/Host Activate .

5. The Activation of ICF Services dialog box appears.

Choose to activate the selected service including all the sub services.

5.3.1.2 Activate ICF Services for SAP GUI for HTML

Context

You have to activate ICF services to enable the start of SAP GUI for HTML. You have to do this once for all SAP GUI for HTML apps.

Procedure

1. Start transaction SICF.

2. Choose .

3. In the Virtual Hosts/Services area, navigate to the following services, and choose Service/HostActivate for each:○ /sap/bc/gui/sap/its/webgui○ /sap/bc/apc/sap/webgui_services○ /sap/bc/gui/sap/its/typeahead

4. In the Activation of ICF Services dialog box, choose to activate the selected service including all the sub services.


App Implementation

5.3.1.3 Optimize the Fiori Launchpad Embedding for SAP GUI for HTML Apps

Prerequisites

You have activated the ICF node /sap/bc/gui/sap/its/webgui.

Context

The following settings are recommended for embedding GUI-based functionality in the Fiori Launchpad in an optimized way.

Procedure

1. In transaction SICF, create an external alias for /sap/bc/gui/sap/its/webgui.

2. Set the following service Parameters:

Parameter Value Effect

~SINGLETRANSACTION 1 Window session is closed after starting transaction is left. In combination with the below logoff handler, this is used to close the window automatically after a transaction completes.

This mode can cause certain transactions to close without showing a success message even though the document was processed successfully. If your scenarios are affected by such cases, consider changing this parameter value to 0.



~WEBGUI_SIMPLE_TOOLBAR 7918 Bitmap for customizing the toolbar:

○ Bit 0 = 0: Standard settings (equals to Bits 1/2/5 set)

○ Bit 1 = 1: Title Bar shown○ Bit 2 = 1: "Cancel" and "Help" but

tons shown○ Bit 3 = 1: Turns on Tools Buttons

(e.g. "Back", "Print")○ Bit 4 = 0: Separate system menu○ Bit 5 = 1: Application Button bar○ Bit 6 = 1: Show the Standard

Menu below a button○ Bit 7 = 1: Setting this bit turns off

the information tab (System, User) in the status bar

○ it 9 = 1: no System Menu Bit○ B 10 = 1: no Help Menu○ Bit 11 = 1: no OK Code field○ Bit 12 = 1: No F1 Help

NoteCertain transactions may require usage of functions in the system menu, so you may want to consider to leave Bit 9 set to 0 (corresponding to value 7406).

For more information, see SAP Note 1010519 .

~WEBGUI_ICON_TOOLBAR 2 Shows button icons instead of text.

~XSRFCHECK 1 Cross Site Request Forgery Check support of WebGUI enabled.

For more information, see SAP Note 1481392 .

~THEME sap_bluecrystal Default theme is set to Blue Crystal (mainly takes effect when run in standalone mode).

~WEBGUI_DLGAREA2 0 Do not show the Personas SAPGUI-like menu header, instead use simplified look.


App Implementation




~WEBGUI_DLGAREA2_MBAR 0 Do not show the Personas SAPGUI-like menu header, instead use simplified look.

~WEBGUI_CONTEXTMENU 0 Disable context menu (does not disable keyboard shortcuts)

~WEBGUI 1

SAP-IE edge Force Microsoft Internet Explorer to make use of edge mode.

~NO_DOMAIN_RELAXING 1 Deactivate domain relaxation

3. In addition, define a logoff handler page to automatically close the window. Under Error Pages, choose Logoff Page and enter the following:

NoteMake sure you create the texts while logged in with the language that is maintained in profile parameter zcsa/second_language in RZ10 in order to avoid language dependency issues.

○ Explicit Response Page Header<NO_TRANSLATION><HEADER>ITS-Cmd:1</HEADER><HEADER>ITS-Cmd-JSON:1</HEADER></NO_TRANSLATION>

○ Explicit Response Page Body{ ITS : { cmd : { Javascript : { name: "Javascript", content:"(function() {top.close();})()" }}}}

5.3.2 Assign RFC Authorization to User

Use

If the OData back-end service is located on a remote back end, users need permission to perform the RFC call on the back-end system.

Prerequisites

You have created a user on the front-end system.


Procedure

1. In the User Maintenance transaction (SU01) under Information Information System , check if the user has the required authorizations S_RFC and S_RFCACL for trusted RFC.

2. If the user does not have the authorizations, assign a role including the RFC authorization objects S_RFC and S_RFCACL to the back-end user that corresponds to the front-end user.

5.3.3 Create PFCG Role on Back-End

Use

You must perform this task to equip the user in the back-end system with the authorizations required for the apps launched from SAP Fiori Launchpad. We recommend organizing the roles according to the roles on the front-end server for the catalogs.

The authorizations required for a particular application are provided via the application itself or via the OData service of the application in case of SAP Fiori apps. This includes the start authorizations for the service or the application in the back-end system and the business authorizations for accessing business data displayed in the app. By adding the application or OData service to the menu of back-end PFCG roles, you add the start authorization and the authorization proposals for the business authorizations. You can adjust these according to your needs.

We recommend adding all applications and services required by apps of a certain catalog to the same role. This PFCG integration of SAP Fiori tile catalogs adds the catalog to the role menu to automatically include the OData services, Web Dynpro and SAPGUI for HTML applications. You can create a new role or use an existing role that fits to the scope of the catalog. If you add the applications and services to an existing role, the authorization proposals have to be merged with the authorization values already defined in the role. You can consider using existing roles if the following applies:

● The same users assigned to the role shall get access to all apps in the catalog.● The business authorizations already defined in the role and those that you define for the apps in the

catalog do not contradict.

Procedure

1. Run transaction Role Maintenance (PFCG) and create a new PFCG role or edit an existing role.2. To enter the catalog and automatically include the OData services, Web Dynpro and SAPGUI for HTML

applications, on the menu tab open the menu of the pushbutton for adding objects and choose SAP Fiori Tile Catalog.○ Select the Remote Front-End Server radio button and provide the RFC variable or the RFC destination

to establish a connection to the front-end server.○ Select the Include Applications checkbox.○ Select the catalog for which the authorizations shall be included. The value help lists all catalogs

available on the front-end server. The OData services, Web Dynpro applications and SAPGUI for HTML applications are added to the role menu as sub-nodes of the catalog.


App Implementation

NoteTo ensure support for automated OData service integration for existing custom analytical apps created based on SAP NetWeaver 7.50 and lower, edit and save the corresponding KPI tile again using KPI Designer.

3. To manually add Web Dynpro apps and SAP GUI for HTML apps, do the following:○ Web Dynpro: On the Menu tab, open the menu of the pushbutton for adding objects (+ pushbutton)

and choose the object type Web Dynpro Application. Enter the Web Dynpro application.○ SAP GUI for HTML: On the Menu tab, open the menu of the pushbutton for adding objects (+

pushbutton) and choose the object type Transaction. Enter the transaction code.4. Repeat steps 2 to 3 for all applications and services of the catalogs that you want to authorize with the role.5. On the Authorization tab, choose Change Authorization Data6. Maintain the desired authorization values and activities (if the user does not yet have the business

authorizations required to use the app).7. Choose Save and then Generate to generate the authorization profile for the role.8. Save the role.

When done with the role creation, you can continue with user assignment to the role.

NoteWhen a catalog is changed in the launchpad designer, for example, an app is added or removed, you must update the start authorizations for the services in the back-end system and the business authorizations for accessing business data that are displayed in the app. If you added the catalogs to the back-end PFCG roles and included the applications, you can determine the roles that must be adapted by using the PRGN_COMPARE_ROLE_MENU report. You can call this report directly or by calling up transaction PFCG and choosing Utilities Update of Application Groups in Role Menu . In the selection screen of the report, select the option Application Group = SAP Fiori Tile Catalog.

Alternatively, in Role Maintenance (PFCG), you can compare and update the roles to reflect the authorizations changes as given in the current definition of the catalog.

However, the comparison (both using the report or comparing in PFCG) does not include applications or services that you added manually to the role menu.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Update Authorization Defaults for Tile Catalogs into the search bar, press Enter , and open the search result with that title.

Additional Steps for Object Pages

If the catalog contains object pages, the authorization defaults contain the S_ESH_CONN (search connector) authorization object.

You must add entries to the authorization object S_ESH_CONN in the subtree Basis: Administration. Fill the following fields:

● Request of Search Connector● Search Connector ID● System ID● Client

For the values, see the app-specific documentation.



5.3.4 Assign Roles to Users

Use

You have to assign the roles on the front-end server with the catalogs, groups, and OData start authorizations to users.

Procedure

1. In transaction Role Maintenance (PFCG) on the User tab, assign the role containing the catalogs, groups, and OData start authorizations to a user by specifying the user ID.Thereby, the user has UI access to the apps in the catalogs and the start authorizations for the respective OData services on the front-end server.

5.3.5 Create Search Connectors for Object Pages on Back-End Server

Use

To enable the use of a specific object page, the underlying search model(s) must have been activated.

When activating a search model, a search connector is created. A connector is the runtime object corresponding to the search model. It is system-specific and client-specific.

When available, the search models that need to be activated for your app are listed in the app-specific implementation information and are present in the authorization defaults of the OData services, see Maintain Authorization Default Values (SAP) (SU22). For more information, see the app-specific documentation.

Prerequisites

The SAP Fiori search has been set up. For more information, see Setup of SAP Fiori Search.

Activities

For each app, create the search connectors in transaction ESH_COCKPIT in your back-end system. For more information, see Setup of SAP Fiori Search and then Activities Setup of SAP Fiori Search in the Back End6. Create connectors .


App Implementation

5.4 Creating Custom Analytical Apps Using a KPI Tile

For the analytical apps that are launched by using a KPI tile, you can create custom apps by performing the following tasks:

1. Modeling KPIs [page 109]2. Configuring Navigation in SAP Smart Business [page 110]

5.4.1 Modeling KPIs

Use

Analytical apps can be launched by using KPI tiles. You can define new KPIs or adapt predefined KPIs to determine what information is displayed and how it is visualized in the tile.

To enable you to model your own KPIs according to your business needs, SAP provides SAP Smart Business modeler apps and predefined KPIs that you can adapt as required.

For information about whether your app is launched by using a KPI tile, see the app-specific documentation.

Prerequisites

● You have installed the SAP Smart Business modeler apps on the front-end server.● Your user is assigned to the SAP Smart Business modeler apps. The business role

SAP_BR_ANALYTICS_SPECIALIST contains the catalog and group provided by SAP. To run these apps, users need the authorizations for the OData service /SSB/SMART_BUSINESS_RUNTIME_SRV. We recommend that you define a role on front-end server using the SAP delivered catalog and group as described in Create PFCG Role on Front-End and Assign Launchpad Catalogs and Groups [page 98] and a corresponding role on the back-end server as described in Create PFCG Role on Back-End [page 106].

Activities

Model KPIs according to your requirements.

NoteYou can use the entities provided by SAP as templates for your own KPIs.

To do so:

1. Copy the KPIs to your own namespace by using the KPI Workspace app.2. Re-create any evaluations and tiles in your own namespace.


3. Adapt the objects according to your needs.

More Information

● For more information about modeling KPIs, see SAP Help Portal at http://help.sap.com/s4hana_op_1809Product Assistance Cross Components Analytics SAP Smart Business Modeler Apps .

● For more information about drill-down applications for KPIs, see SAP Help Portal at http://help.sap.com/s4hana_op_1809 Product Assistance Cross Components Analytics SAP Smart Business Modeler Apps Configure Drill-Down .

● For information about whether an app uses a KPI tile, see the app-specific documentation for SAP Fiori apps.

5.4.2 Configuring Navigation in SAP Smart Business

SAP Smart Business enables users to navigate from generic drilldown applications to other applications.

This navigation is based on navigation targets that are specified by means of semantic objects and semantic actions that you define in the Add Evaluation application.

Creating Navigation Targets

For new evaluations, you maintain the navigation targets in the Add Evaluation application under Data Sources Semantic Object/Action . You can add one or more semantic objects to an evaluation. Adding actions for semantic objects is optional. If you do not provide an action, all apps for the given semantic objects are shown in the Smart Business drilldown page.

When maintaining semantic objects and actions, note the following:

● Avoid duplicate entriesWhen you have already created an semantic object Supplier and try to create a second semantic object Supplier, the system does not allow you to create the second entry and only keeps the first semantic object.

● Semantic objects and semantic actions are case-sensitive.● The following characters are invalid and must not be used for semantic objects and actions: question mark

(?), ampersand (&), pound sign (#), dash (-), space

Editing Navigation Targets

In the KPI Workspace app, you can edit your evaluations and add, change, or delete semantic objects and actions.


App Implementation




NoteIf you want to change navigation targets that have been created before SAP S/4HANA Cloud 1608 or SAP S/4HANA 1610 FSP 00, you need to activate the changes that you apply in the KPI Workspace app and the KPI to which the respective evaluation belongs needs to be transported.

Evaluation of Navigation Targets at Runtime

The semantic objects and actions that you have maintained in the evaluation are used to populate the list of applications to which the user can navigate from the SAP Smart Business runtime application. For this, the required authorizations are added to the business role which contains the catalog in which the application is available.

● If you want to navigate directly from the chart or table, you have to maintain the dimension as a mandatory parameter. When you navigate to the application, the content of the current selection are passed, for example, the dimension details. If the parameter is not available or not valid, the application would not be displayed as a possible navigation target.

● If the dimension is not specified as a mandatory parameter, you can still navigate to the application by choosing Open In. The list of applications that are maintained as navigation targets and not specified as mandatory are displayed and you can navigate to the respective applications.

ExampleYou have created the Supplier Evaluation By Time evaluation and defined the following applications for navigation:

● Document - defined as mandatory parameter● Purchasing Category● Manage Activities● Supplier● Manage Purchase Orders

You can navigate to the Documents application directly from the chart or table. Navigation to the other applications is available via Open In.


6 Troubleshooting for SAP Fiori Apps

This section provides a central starting point for solving problems related to configuring and running SAP Fiori apps.

For additional troubleshooting information, go to http://help.sap.com/s4hana_op_1809, enter SAP Fiori Launchpad into the search bar, press Enter , open the search result with that title and navigate to the section Troubleshooting.

6.1 Tools For Error Analysis

If the problem is related to customer-defined content that is not working as expected, there are a couple of tools to check the content for consistency.

In the rest of this document, there are references to the following tools:

SAP Fiori Launchpad Intent Resolution Analyzer

The SAP Fiori Launchpad Intent Resolution Analyzer (FLIA) can help you to find out if an intent (combination of semantic object and action) can be resolved. The FLIA also allows you to check the intent for a dedicated device type for configuration, customizing, and personalization.

The SAP Fiori Intent Analyzer can be started with the transaction code /UI2/FLIA.

SAP Fiori Content Check

The SAP Fiori Launchpad Content Check (FLC) helps you to analyze your catalogs for potential issues such as unresolvable intents or tiles without mappings. The FLC can also be restricted to either configuration,


Troubleshooting for SAP Fiori Apps


customizing, or personalization. The following example shows the check results for a catalog that contains a tile but no mapping:

The SAP Fiori Launchpad Content Check can be started with the transaction code /UI2/FLC.

Catalog Consistency Check in the SAP Fiori Launchpad Designer

The SAP Fiori launchpad designer also provides some consistency checks for catalogs and a where-used list that can help to analyze the catalog during maintenance. In comparison to the FLC (mentioned above), the consistency check in the designer has fewer capabilities.

Performance Aspects

You can add the string sap-statistics=true& to the URL. Every request to the server will then return statistical data on how much time was spent on the frontend server, on the backend server, and on for the remote function call.

UI Technology Guide for SAP S/4HANA 1809Troubleshooting for SAP Fiori Apps P U B L I C 113

6.2 General Problems and Solutions

6.2.1 Caching Problems

Most issues that occur are related to cached content that should be deleted. That is why it is important for you to regularly delete the cache, especially after the upgrade to a new release and the application of support packages or certain SAPUI5 notes.

Deleting Caches

There are three caches involved where a deletion could solve the problem:

1. Delete the SAP Fiori content caches using the /UI2/INVALIDATE_GLOBAL_CACHES report.2. Delete the browser cache using the respective function in the browser. For example, in Internet Explorer,

choose Internet Options General Browser History Delete .3. Delete the Metadata Cache on the Gateway Server (only relevant after import of support packages). To do

so, make settings in the Clear Cache customizing activity in the IMG (SPRO transaction) under SAP Netweaver Gateway OData Channel Administration Cache Settings Metadata Clear Cache .

6.2.2 SAP Fiori App Cannot Be Opened

Issue Description

When you click on a tile, the app does not start and a popup with the message "Could not open app. Try again later" is displayed.

Issue Analysis & Resolution

The error described above can have different root causes.

A. Missing Software Component

If this issue occurs for job scheduling apps or apps displaying application logs, please check if the software component UIBAS001 is installed.



B. Inactive ICF nodes

1. Call the SAP Fiori launchpad and clear your browser cache on your computer and try to reproduce the problem.

2. If you receive the same popup, call the browser's console (for example, by pressing F12 in Google Chrome).

3. Clear the console.4. Click on the tile again and check the console.

If you get an error stating with “Error: found in negative cache”, the app probably cannot start because of a deactivated ICF node.

TipEach app has two ICF app nodes and both must be active to start the app.

Activate the ICF nodes.5. Call the transaction SICF on the frontend server and search for the BSP name of the app.

You can find the BSP name of the app by using the SAP Fiori apps reference library.The BSP name occurs twice. Both occurrences must be activated.

6. Clear the cache.Run the /UI2/INVALIDATE_GLOBAL_CACHES report to clear the SAP Fiori launchpad caches.

C. New UI sources

Check if your gateway system has the report /UI5/APP_INDEX_CALCULATE scheduled.



For details. go to http://help.sap.com/s4hana_op_1809, enter SAPUI5 Application Index into the search bar, press Enter , and open the search result with that title.

D. Misconfiguration of the system alias

1. Get the system alias for your app.Call the transaction /IWFND/MAINT_SERVICE and search for the OData service of your app.The system alias is displayed in the lower right corner.

2. Check the system alias configuration in the IMG.To do so, make settings in the Manage SAP System Aliases customizing activity in the IMG (transaction SPRO) under SAP NetWeaver Gateway Configuration Connection Settings SAP Gateway to SAP System Manage SAP System Aliases .

3. Check that the For Local App flag is not selected.

6.2.3 Error “Service Failed” in App

Issue Description

When users start the app, a popup is displayed saying that the service failed.


This error is raised when the OData service is not active. Call the transaction /IWFND/MAINT_SERVICE and activate the service. The corresponding ICF node must be active too.




6.2.4 Web Dynpro ABAP / SAP GUI for HTML App Cannot Be Started

Issue Description

Users want to start a Web Dynpro ABAP or an SAP GUI for HTML app but they get an error message instead. Below is an example of the error message for the Set Controlling Area app.


This error message is an indicator that a connection is not properly established between the frontend server and the backend server, where the Web Dynpro ABAP or SAP GUI for HTML app is located.

One possible cause for this can be a missing RFC connection for a specific system alias. For more information, see Set up RFC Connections to a Back-End System [page 86].

6.2.5 New App in Catalog Does Not Appear on the SAP Fiori Launchpad

Issue Description

You have added a new app to an existing catalog and transported the catalog to a target system but it does not show up on the end users’ SAP Fiori launchpad.


Possible Root Causes

For this problem, there are several possible root causes:

● Root cause 1: Caches have not been cleared.● Root cause 2: App is not released for the device type.● Root cause 3: Target mapping is not part of a catalog included in the users’ role.● Root cause 4: Customizing layer is overwriting the configuration layer.

Issue Analysis and Resolution

● Root cause 1Delete the caches.The users should delete the browser cache.The admin should delete the SAP Fiori launchpad caches by starting the /UI2/INVALIDATE_GLOBAL_CACHES report.

● Root cause 2Check the target mapping.If the issue occurs only on certain device types, the target mapping was not released for the device type and thus the tile is automatically hidden.

● Root cause 3Check if the user has a role assigned that points to the catalog that includes the target mapping.

NoteIt is important to understand that if a role points to groups with apps coming from different catalogs, all relevant catalogs have to be in that role. If one catalog is missing, all apps coming from the missing catalog are automatically hidden.

● Root cause 4Check if there is a customizing layer for the catalog.If the catalog was changed in the designer in CUST mode (customizing mode), a layer is created that hides new apps coming into the catalog in CONF mode (configuration mode).To check if such a layer exists, use the SAP Fiori launchpad content check (transaction /UI2/FLC). Use the report first with the setting for Configuration. If the report does not display any error for the app that causes the problems, run it for Customizing.Call the SAP Fiori launchpad designer in CUST mode (URL extension scope=CUST). Catalogs that differ between the customizing and configuration layers are marked with a red icon.



To delete the customizing layer, while you are in the customizing mode (!), drag the catalog to the trash bin area. Then refresh the browser.

TipYou can easily identify which mode you are in by checking the upper right corner. If you can see Client: ALL, you are in configuration mode, and if a specific client is displayed, you are in customizing mode.

Configuration Mode:

Customizing Mode:

6.2.6 SAP Fiori Content Doesn't Get Deleted Correctly

Issue Description

You quickly delete a series of tiles/mappings. The objects disappear from the designer but, after a refresh of the browser, some of the deleted objects appear again.


Issue Resolution

When deleting objects from the SAP Fiori launchpad designer, wait until you get the toast message that the object was successfully deleted before trying to delete the next object.

6.2.7 Chip Instance Not Found

Issue Description

You are creating, for example, new tiles in a catalog. When you try to save the configuration details, you receive an error message stating that a chip instance was not found and after refreshing the browser, none or only parts of your data was saved.

Issue Resolution

This effect can occur when more than one application server is used. When a tile or mapping is created, the OData service is redirected to one server to retrieve the GUID of the tile/mapping, but when you enter the details and save again, the request might be redirected to a different server. If the time between the save actions is very short, the servers might not be in sync. Then, the SAP Fiori launchpad designer raises an error because the second request wants to save data for a tile/mapping that does not exist yet on the other server.

If you have a multi-server setup, follow the instructions in SAP Note 2057804 .

6.2.8 No Or Too Little Data Is Shown in the App

Issue Description

Users call an app and see either no data or too little data, even when the app is configured properly.




Issue Analysis and Resolution

The most probable reason is an authorization issue:

1. Check if any authorization violations are shown in the transaction SU53.2. If transaction SU53 shows no violations, the issue could be the following:

Some apps make use of the Service Adaption Definition Language (SADL). This API offers the possibility to pass ABAP authorization objects. If this is used, an SQL statement is generated that excludes all data the user is not allowed to see by evaluating the handed-over authorization objects.This technique leads to the issue that a valid SQL statement without any authorization violations is always generated. This means transaction SU53 cannot pick up any issues and the app will not raise an error message indicating that there is a lack of authorizations.For more information, please read SAP Note 2147808 .Similar cases are when apps directly make use of CDS views where authorizations are modeled in DCLs. In that case all authorizations traces only show positive results even if due to missing authorizations the returned dataset was reduced.

If no data is shown, there could be a second reason. In very rare cases, it can happen that the artifacts of Data Control Language (DCL) on the ABAP server are not synchronized with the database. In this case, an initial load can be triggered with the SACM transaction. Be aware that this initial load takes some time and should not be done during production use.

The component for problems related to DCL issues is BC-SEC-AUT-DCL.

6.2.9 OData Service of Factsheets Cannot Be Activated

Issue Description

You are not able to activate a Factsheet-specific OData service. The following message is displayed: "Metadata not loaded - See /IWEP/ERROR_LOG...".

Issue Resolution

1. Log on to the backend and start the transaction ESH_TEST_SEARCH.2. Enter the corresponding connector (for example, DBOM1_H) as object type and run the report ( F8 ) or

check the connector.3. In case of an error stating that there are no search connectors for selected scope, activate the

corresponding search connector in the backend.



6.2.10 How to Find Out which SAP GUI Transactions Can Be Used on the SAP Fiori Launchpad

To find out if a certain transaction or Web Dynpro ABAP application can be used on the SAP Fiori launchpad, you can search for it in the SAP Fiori apps reference library. To do so, choose All apps for SAP S/4HANA All Apps and enter the transaction code into the search field. If an entry is found, it means that the transaction has been assigned an app descriptor and is eligible for usage in the SAP Fiori launchpad.

Alternatively, you can call transaction MM_APP in the backend system to search for existing app descriptors of transactions. You can also use MM_APP to create app descriptors for your own transactions or Web Dynpro ABAP applications.

6.2.11 How to Improve Ticket Processing Time

To speed up the processing time of tickets, try these quick fixes:

● Use the correct component.




To find the correct component for creating tickets, please check the app information in the SAP Fiori apps reference library. Here is an example:

● Always provide the backend system information and gateway system (if a local gateway is not used).● Provide the app version, SAP UI5 version, and SAP Fiori app ID in the ticket.

To retrieve this information, call the About dialog of the app.




● Try to find out if the problem is a backend or frontend issue:○ Perform all actions until you are one step ahead of the action causing the issue.○ Open the developer tools of your browser ( F12 ), clear the shown network, and console entries.○ Perform the action that causes the issue and retrieve the proper network request:

○ Check if the request works without any issues or timeouts.○ Provide this information and the retrieved request in the ticket to accelerate processing time.

6.2.12 Apps For Job Scheduling or Application Log Display Cannot Be Opened

Issue Description

Applications that are using the job scheduling or application log framework are not starting and showing error message "Error – Could not open app".



Issue Resolution

If this issue occurs for applications that are of type Transactional (Generic UI5 Job Scheduling Framework) according to the SAP Fiori apps reference library, please check if the software component UIBAS001 is installed on the frontend server.

Those applications use generic services and UIs from ABAP Platform and only provide app-specific configurations that are part of the application frontend software component like UIAPFI70. So both UI software components are required to get the apps running.

6.2.13 Apps Are Not Working Anymore After Upgrade

Issue Description

After an upgrade, certain apps that worked before can no longer be opened.


Some SAP Fiori apps make use of the user default settings that users can enter on the SAP Fiori launchpad under Settings Default Settings .

Such applications require the activation of the service FIN_USER_DEFAULTPARAMETER_SRV on the frontend server. In addition, the business catalogs containing SAP Fiori apps that require this service must have the target mapping with the intent shell~plugin.

If certain apps no longer work after an upgrade, check whether the service and the mapping are configured correctly.

For more information, go to http://help.sap.com/s4hana_op_1809, enter Additional Implementation Activities for All Finance Apps into the search bar, press Enter , and open the search result with that title.

6.2.14 System Error When Accessing Knowledge Provider

Issue Description

When uploading a file or an attachment in an SAP Fiori app that sends the call to the SAPOffice API, the error message System error when accessing Knowledge Provider is displayed and the action is canceled.




Issue Resolution

In transaction SLG1, check logs for object SCMS and SDOK (for user uploading the document) and look for erroneous entries. Common problems include:

● The content repository is not set up (or not set up correctly) – see transaction OAC0.● Antivirus rejects the entry.● Inconsistency in table SDOKPROF.



7 Extensibility

SAP S/4HANA natively embodies key user in-app extensibility tools, offering the means to change and adapt the UI layout and context, create custom fields, create and extend analytical reports and forms, and change the business logic. With SAP S/4HANA, you can implement in-app extensions satisfying all extensibility qualities. In particular, end-to-end tools enable business experts to apply changes without risk, as the technical complexity is reduced to a level that corresponds to the business purpose and is stable and fault tolerant. Thanks to a strict tool-based approach, these extensions are loosely coupled with core business processes and contribute to a pace-layered IT.

In addition, the UI development toolkit for HTML5 (SAPUI5) offers you a broad range of means for adapting SAP Fiori apps to your specific requirements.

7.1 Adapting the User Interface

Use

Key users can adapt the user interface (UI) of their apps at runtime in a modification-free way, for example, by adding, removing, or moving fields and groups. Runtime adaptation is supported for apps that use SmartForm controls with stable IDs. Note that you can only add fields which have been made available for this app. If you need additional fields, you have to create them as described under Creating Custom Fields and Custom Business Logic.

More Information

For more information, go to http://help.sap.com/s4hana_op_1809, enter Adapting SAP Fiori UIs at Runtime into the search bar, press Enter , and open the search result with that title.

7.2 Creating Custom Fields and Custom Business Logic

Use

Field extensibility refers to the capability to add customer-specific fields (custom fields) to a business context of an application (for example, a sales order item or a customer address) in a one-to-one relation. After the field has been defined, all necessary software artifacts are generated by the extensibility tool: SAP database tables and application structures are enhanced by using the “DDIC extension include” concept. Assigned SAP core

UI Technology Guide for SAP S/4HANA 1809Extensibility P U B L I C 127


data service (CDS) views, SAP Fiori search, and OData services are extended as well. As the applications are prepared for this kind of extensibility, they do consider these extension fields in their business logic, so the generated fields can be used directly.

Business logic extensibility refers to the enhancement of the behavior of applications and processes. You can enhance a modifiable application at a designated point to implement your custom logic.

You use the Customer Fields and Logic app to implement these extensions.

More Information

For more information, see http://help.sap.com/s4hana_op_1809 under Product Assistance Enterprise Technology ABAP Platform General Functions for Key Users Extensibility Information .

7.3 Adding Custom Views

Use

To extend views, you use extension points. These constitute anchor points for extensions. To activate an extension point, you insert the SAPUI5 control < core:ExtensionPoint / > into an SAP-shipped HTML5 application based on an XML-type view. Extension points are documented and kept stable. This means that any extensions plugging in are more robust across application updates.

More Information

For more information, go to http://help.sap.com/s4hana_op_1809, enter SAPUI5: UI Development Toolkit for HTML5 into the search bar, press Enter , open the search result with that title, and navigate to the following sections:

● Extending Apps Using Component Configuration View Extension

● Essentials Model View Controller (MVC) Views XML View


Extensibility



7.4 Adapting Database Extensions to SAP S/4HANA

Context

When you convert your system from SAP Suite on HANA to SAP S/4HANA, modifications to the SAP HANA database remain unchanged. However, to make your modifications visible on the UI, manual steps can be required in different content layers.

Procedure

1. If required for your modifications, adapt the relevant Core Data Service (CDS) views in the SAP Business Suite layer. You can extend CDS views by using ABAP development tools. For more information, see http://help.sap.com/s4hana_op_1809 Product Assistance English Enterprise Technology ABAP Platform Developing on the ABAP Platform Development Concepts and Tools Application Development on AS ABAP ABAP Development Tools - Eclipse SAP (On-Premise) - ABAP CDS Development User Guide Tasks Defining Data Models Using CDS Tools Extending Data Models .

2. If required for your modifications, adapt the OData services for your CDS views in the SAP Gateway layer:○ For OData services that are included in a CDS view definition as an annotation, the relevant artifacts

are generated automatically. No modifications are required in the SAP Gateway layer. For more information, see http://help.sap.com/s4hana_op_1809 under Product Assistance EnglishEnterprise Technology ABAP Platform Developing on the ABAP Platform Development Concepts and Tools Application Development on Application Server ABAP SAP (On-Premise) - ABAP Programming Model for SAP Fiori Get Started Developing a Simple List Reporting App Generating OData Service With Auto-Exposure .

○ OData services that are not included in a CDS view definition must be redefined in Service Builder. For more information, see http://help.sap.com/s4hana_op_1809 under Product Assistance EnglishEnterprise Technology ABAP Platform Developing on the ABAP Platform Development Concepts and Tools SAP Gateway Foundation (SAP_GWFND) SAP Gateway Foundation Developer GuideSAP Gateway Service Builder Data Modeling Basics Data Modeling Options Redefining Services .

3. If available for your app, you can use runtime adaptation to add, move, or remove view fields in the UI layer. For more information, see Adapting the User Interface [page 127]. As an alternative, you can extend views by using SAP UI5 extension points. For more information, see http://help.sap.com/s4hana_op_1809 under

Product Assistance English Enterprise Technology ABAP Platform UI Technologies SAPUI5: UI Development Toolkit for HTML5 Extending Apps View Extension .

UI Technology Guide for SAP S/4HANA 1809Extensibility P U B L I C 129






Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.


Important Disclaimers and Legal Information

UI Technology Guide for SAP S/4HANA 1809Important Disclaimers and Legal Information P U B L I C 131

www.sap.com/contactsap

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html